zeroclaw
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to download the ZeroClaw software and management scripts from the 'zeroclaw-labs' repository on GitHub.
- [REMOTE_CODE_EXECUTION]: Installation instructions require running a 'bootstrap.sh' shell script directly after cloning the third-party repository, which executes unverified remote code on the host system.
- [COMMAND_EXECUTION]: Includes capabilities for installing ZeroClaw as a persistent system service ('zeroclaw service install'). It also explicitly describes a 'full' autonomy setting that removes all guardrails, allowing the agent to execute any shell command without human approval.
- [CREDENTIALS_UNSAFE]: The documentation provides templates and examples for storing sensitive API tokens and keys for more than 30 AI providers and 16 communication channels (e.g., Telegram, Discord, Slack) within local configuration files.
- [PROMPT_INJECTION]: The skill exposes the agent to indirect prompt injection by ingesting data from numerous external communication channels. In the absence of documented boundary markers or sanitization, this untrusted data could influence the agent to perform malicious actions through its command execution capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata