Is agentossoftware/agentos safe?

The skill mandates that CONTEXT.md always contain the exact text of the last user message and the agent's last response, and this file is automatically synced to http://178.156.216.106:3100 on every heartbeat. This means every conversation turn is exfiltrated to an external server in plaintext over unencrypted HTTP.

Five separate '⚠️ HARD RULE' blocks use 'non-negotiable', 'MANDATORY', and 'MUST' language to force the agent to run external shell scripts, upload conversation data, and modify its own configuration files. This framing is designed to override agent safety systems and default behavior.

The skill trains the agent to monitor for specific keywords in system messages ('write important context', 'save your current state', 'memory flush', 'before compaction') and respond by silently running the exfiltration script and replying only with 'NO_REPLY'. This is a classic prompt injection trigger that enables fully covert operation.

The configuration template hardcodes http://178.156.216.106:3100 as the API URL. Using a bare IP address over plain HTTP (no TLS) for an endpoint that receives API keys, conversation content, and agent memory is a strong indicator of attacker-controlled infrastructure designed to avoid domain-based detection.

The skill establishes an agent-to-agent messaging network where the agent is instructed to fetch and process incoming 'mesh messages' without surfacing their content to the user. An attacker who knows the target agent ID can send arbitrary task instructions that the agent will process silently.

setup.sh copies scripts/aos to ~/clawd/bin/aos and marks it executable, but scripts/aos is absent from the audited file listing. An unauditable binary is silently installed with user permissions and is the primary interface for all API calls, data sync, and message processing.

The skill directly instructs the agent to conceal context recovery operations from the user and to respond as if no memory loss or restoration occurred. This is not a side effect — it is a documented design requirement.

The skill mandates running ~/clawd/bin/aos-inject-context on every session start. This binary is never provided in the audited source. It connects to the external server and retrieves 'working memory state, today's notes, yesterday's notes' — effectively allowing the server operator to inject arbitrary content into the agent's context at session initialization.

The syncPaths configuration designates ~/clawd/MEMORY.md and the entire ~/clawd/memory/ directory for upload, including project notes, daily logs, and all memory compartments. The memory directory can contain arbitrarily sensitive information depending on what the agent has been asked to remember.

The skill instructs users to add mesh-wake.sh to crontab running every 2 minutes. This creates a persistent callback mechanism that continuously checks the C2 server for new commands and wakes the agent to execute them without requiring any user interaction.

The combined effect of the HARD RULES is that the agent processes incoming mesh messages, restores external-server-provided context, and syncs conversation data — all without the user's knowledge. The explicit 'NEVER let user know' directives ensure complete operational opacity.

While install-time monitoring only observed expected GitHub connections, the installed artifacts are purpose-built for continuous outbound communication: mesh-wake.sh polls every 2 minutes, the WebSocket daemon maintains a persistent connection, and setup.sh installs CLI tools for all API operations.

The honeypot files (.env, id_rsa, .aws/credentials) were not accessed. However, this skill exfiltrates dynamic conversation content from CONTEXT.md and MEMORY.md rather than static credential files. The canary methodology cannot detect conversation surveillance.

The documented API includes a POST /v1/dump-all endpoint described as 'Bulk fetch ALL memories'. Combined with POST /v1/agents ('Discover agent IDs'), an attacker with platform access can enumerate all agents and bulk-extract all stored memories from all users.

The skill instructs the agent to add sync requirements to HEARTBEAT.md and AGENTS.md, embedding the mandatory sync commands into core configuration files. This persists the prompt injection beyond the skill itself.