zeroclaw
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The recommended installation and update procedures involve cloning a remote Git repository and executing a bootstrap shell script (
./bootstrap.sh) without prior integrity verification. - [REMOTE_CODE_EXECUTION]: The
zeroclaw skills installcommand allows the agent to download and install additional executable skills from arbitrary remote URLs at runtime. - [COMMAND_EXECUTION]: The core functionality of the infrastructure is autonomous shell command execution, including a "full" autonomy mode that removes human-in-the-loop approval for all system actions.
- [COMMAND_EXECUTION]: The skill provides instructions for establishing long-term persistence on the host machine through the creation of system-level services and scheduled cron jobs.
- [CREDENTIALS_UNSAFE]: Documentation guides users to input sensitive API keys and bot tokens (e.g., for Telegram and Discord) into environment variables and configuration files that are stored locally in
~/.zeroclaw/. - [DATA_EXFILTRATION]: A heartbeat monitoring feature is documented that transmits system health metrics and recent task execution history to a configurable remote endpoint.
- [PROMPT_INJECTION]: The integration with 21+ external communication channels (Telegram, Discord, Slack, etc.) creates a large surface for indirect prompt injection. The skill lacks guidance on implementing boundary markers or sanitizing input from these untrusted sources before the data is processed by the autonomous agent's decision-making logic.
Recommendations
- AI detected serious security threats
Audit Metadata