zeroclaw
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of a remote bootstrap script via
curl -fsSL https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/main/scripts/bootstrap.sh | bash. This allows unverified remote code to run with the privileges of the local user.\n- [EXTERNAL_DOWNLOADS]: Downloads scripts and refers to binaries from thezeroclaw-labsGitHub organization, which is not a pre-approved trusted source.\n- [COMMAND_EXECUTION]: The skill utilizes powerful CLI commands for service installation, daemon management, and gateway hosting, which perform privileged system operations.\n- [CREDENTIALS_UNSAFE]: References the management of sensitive authentication profiles and secret keys stored in~/.zeroclaw/auth-profiles.jsonand~/.zeroclaw/.secret_keyfor various AI providers.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/main/scripts/bootstrap.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata