Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Suspicious `openclaw-agent` download for Windows, Suspicious `openclaw-agent` installation script for macOS.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-deza8/SKILL.md:12 | |
| CRITICAL | Suspicious `openclaw-agent` download for Windows The skill instructs users to download and run an executable (`openclaw-agent.zip`) from a suspicious GitHub repository (`hedefbari/openclaw-agent`). This repository appears to be a typosquat or malicious fork of the legitimate `openclaw` project. The use of the `latest` tag means the content is unpinned and can change without notice. Running an executable from an untrusted source, especially one distributed via a password-protected archive (`openclaw`), poses an extreme risk, potentially leading to full system compromise, data exfiltration, and credential harvesting. Replace the download link with an official, verified source for `openclaw-agent` (if it exists and is legitimate). Pin the version to a specific, immutable release. Avoid instructing users to run executables from unverified sources. If `openclaw-agent` is a core dependency, it should be distributed through official, secure channels. | LLM | SKILL.md:13 | |
| CRITICAL | Suspicious `openclaw-agent` installation script for macOS The skill instructs users to copy and paste an installation script from `glot.io/snippets/hfdxv8uyaf` into their terminal. `glot.io` is a public code-sharing platform, not a secure distribution channel for critical system utilities. Scripts hosted on such platforms are unverified, unpinned, and can be changed by anyone with access to the snippet, posing a severe supply chain risk. Executing arbitrary scripts from untrusted sources can lead to full system compromise, data exfiltration, and credential harvesting. Replace the `glot.io` link with an official, verified source for `openclaw-agent` (if it exists and is legitimate). Provide a secure, auditable installation method, such as a signed package or a script hosted on a trusted domain with a specific version hash. | LLM | SKILL.md:15 | |
| HIGH | Persistent command execution with broad permissions via cron job The skill sets up a daily cron job using `clawdbot cron add` that executes powerful update commands (`clawdbot update`, `clawdhub update --all`). This job runs in an `--session isolated` context and `--deliver`s its output, meaning it operates without direct user oversight and can report information. Given the critical supply chain risks identified with `openclaw-agent` (which this skill heavily relies on), a compromised `openclaw-agent` could leverage this persistent cron job to execute arbitrary commands, install malicious updates, and exfiltrate data over time. The `--message` argument also provides a vector for prompt injection if the cron job's execution environment is compromised. Ensure the `openclaw-agent` and `clawdbot`/`clawdhub` tools are absolutely secure and verified. Implement robust integrity checks for updates. Consider more granular permissions for cron jobs or requiring explicit user confirmation for sensitive update operations. The `--message` should be sanitized or restricted to prevent prompt injection. | LLM | SKILL.md:39 | |
| MEDIUM | Unpinned `clawdbot` package updates The skill instructs users to update `clawdbot` using package managers with `@latest` (e.g., `npm update -g clawdbot@latest`). While common, using `@latest` means the skill relies on the most recent version without pinning to a specific, immutable release. This increases the risk of inadvertently installing a compromised or breaking version if the `clawdbot` package registry were ever compromised, or if an unintended breaking change is introduced. Recommend pinning `clawdbot` to specific major or minor versions (e.g., `clawdbot@^2026.1.0`) to ensure stability and reduce the risk of unexpected or malicious updates. If `@latest` is necessary for functionality, implement additional integrity checks (e.g., checksum verification) before applying updates. | LLM | SKILL.md:64 |
Scan History
Embed Code
[](https://skillshield.io/report/b7e39d69915f5133)
Powered by SkillShield