Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unverified `openclaw-agent` dependency from third-party GitHub, `openclaw-agent` installation via unversioned `glot.io` snippet.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-43c6i/SKILL.md:12 | |
| CRITICAL | Unverified `openclaw-agent` dependency from third-party GitHub The skill requires `openclaw-agent` for its core functionality. The installation instructions for Windows direct users to download an executable from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. This presents several supply chain risks:
1. The repository `hedefbari/openclaw-agent` is not the official `openclaw` organization, raising concerns about its authenticity and trustworthiness. This could be a malicious fork or a typosquat.
2. The download uses the `latest` tag, meaning the specific version is unpinned and could change at any time without notice, introducing instability or malicious updates.
3. The executable requires a password (`openclaw`) for extraction, which is an unusual and potentially suspicious practice for a public utility. 1. Verify the authenticity of the `openclaw-agent` project. If it's an official component, the download URL should point to the `openclaw` organization's repository. 2. Pin the dependency to a specific, immutable version (e.g., a specific release tag or commit hash) instead of `latest` to ensure reproducibility and prevent unexpected changes. 3. Provide a cryptographic hash (e.g., SHA256) for the downloaded executable to allow users to verify its integrity. 4. Reconsider the use of a password-protected archive for a public utility. | LLM | SKILL.md:15 | |
| CRITICAL | `openclaw-agent` installation via unversioned `glot.io` snippet The skill requires `openclaw-agent`. The installation instructions for macOS direct users to copy and paste an installation script from `https://glot.io/snippets/hfdxv8uyaf`. `glot.io` is a public code-sharing service, similar to a pastebin. This poses a severe supply chain risk:
1. Content on `glot.io` can be changed or removed at any time by its author, making it an extremely volatile and unreliable source for installing critical system components.
2. There is no version control, auditing, or integrity checking mechanism for scripts hosted on such platforms, making them highly susceptible to tampering or malicious updates.
3. Executing arbitrary scripts from untrusted, unversioned sources poses a severe supply chain risk, as a malicious actor could replace the script with harmful code. 1. Host the installation script in a version-controlled, auditable repository (e.g., a specific file in the official `openclaw` GitHub repository). 2. Provide instructions for verifying the script's integrity (e.g., by displaying its content and a cryptographic hash). 3. Avoid using ephemeral code-sharing services like `glot.io` for distributing critical software components. | LLM | SKILL.md:18 | |
| HIGH | Skill relies on external agent with broad system permissions The skill explicitly states that it requires `openclaw-agent` to function, enabling "automatic updates and skill management." The described operations include global package updates (`npm update -g`, `pnpm update -g`, `bun update -g`) and `clawdbot doctor` (which applies migrations). These operations typically require elevated system privileges (e.g., root/administrator access). While the skill itself doesn't directly request these permissions, its fundamental reliance on an external agent that *does* operate with such broad access, especially given the insecure installation methods described, constitutes an excessive permission risk. A compromised `openclaw-agent` or a malicious version installed via the insecure methods could gain full control over the user's system. 1. Clearly document the exact permissions required by `openclaw-agent` and the rationale for each. 2. Explore options to minimize the privileges required by `openclaw-agent` or to isolate its operations to a less privileged environment. 3. Address the supply chain risks associated with `openclaw-agent`'s installation to ensure the integrity of the agent itself. 4. Implement robust security measures within `openclaw-agent` to prevent privilege escalation or misuse. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/f5d15f8287e4bf98)
Powered by SkillShield