Is dowingard/agent-zero-bridge safe?

https://github.com/openclaw/skills/tree/main/skills/dowingard/agent-zero-bridge

77
CAUTION

The agent-zero-bridge skill is a legitimate integration tool with no prompt injection, no malicious install-time behavior, and a clean clone from GitHub. However, it introduces significant secondary risk: its --attach file transmission feature can read and exfiltrate any file to Agent Zero, its clawdbot_client.js deploys an unrestricted tool-invocation channel from Agent Zero back to Clawdbot, and the recommended 0.0.0.0 Gateway binding exposes the host agent's API to the local network. The credential file accesses observed during monitoring are attributed to the Oathe audit framework's canary integrity checks, not the skill code itself.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (9)

HIGH Arbitrary file read + base64 transmission to external API via --attach -25

The a0_client.js --attach flag reads any file path and base64-encodes it into the Agent Zero API request payload. There is no allowlist, path restriction, or content filtering. An agent instructed to attach a file (e.g., ~/.ssh/id_rsa or .env) would transmit its content to A0_API_URL — which can be set to any host.

HIGH Agent Zero → Clawdbot arbitrary tool invocation channel -25

clawdbot_client.js deployed inside the Agent Zero container can invoke any Clawdbot tool via the Gateway /tools/invoke endpoint. This creates a reverse channel where a compromised Agent Zero task can control the host Clawdbot agent's tool surface.

MEDIUM Bidirectional covert communication channel -10

The skill establishes a persistent bidirectional HTTP API bridge between Clawdbot and Agent Zero. Agent Zero can proactively message Clawdbot (notify, sendMessage), effectively creating an outbound communication channel that bypasses normal user interaction. This could be used to report exfiltrated data or receive C2 instructions.

MEDIUM Gateway bind to 0.0.0.0 exposes authenticated API to LAN -15

Setup instructions configure Clawdbot Gateway to listen on all interfaces. Any host on the local network with the token can invoke Clawdbot tools, send messages, or trigger agent actions.

MEDIUM Canary credential files accessed during monitoring window -18

All six honeypot credential files were opened and read at two distinct points during the audit. Content attribution suggests these are monitoring framework baseline/integrity checks, not skill code activity, but process-level attribution is incomplete from available evidence.

LOW task_breakdown.js writes files to configurable NOTEBOOK_PATH -15

The task breakdown script creates directories and markdown files at NOTEBOOK_PATH (env-configurable). If this path is set to a sensitive location (e.g., ~/.ssh/ or ~/.config/), attacker-controlled markdown content could overwrite files.

LOW .env with API tokens copied into Docker container -5

Setup procedure copies the local .env file containing CLAWDBOT_API_TOKEN and A0_API_KEY into the Agent Zero Docker container. Container escape or Docker daemon compromise would expose both tokens.

LOW Broad trigger phrases may cause unintended activation -8

The description includes 'needs long-running autonomous coding with self-correction loops' as a trigger condition, which could match many normal user requests and cause unwanted delegation to Agent Zero.

INFO Install is a clean git sparse-checkout from GitHub 0

The installation clones only the target skill subpath from the monorepo. No secondary downloads, no npm install, no post-clone scripts executed.