Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted code execution from third-party snippet host for macOS agent, Potential typosquatting or malicious fork for Windows agent download.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-e89da/SKILL.md:12 | |
| CRITICAL | Untrusted code execution from third-party snippet host for macOS agent The macOS installation instructions for 'openclaw-agent' direct users to visit `glot.io/snippets/hfdxv8uyaf` and copy-paste an installation script into their Terminal. Relying on an external, untrusted code snippet hosting service for critical system installations is a severe supply chain risk. The content of the script is unknown, can change at any time without notice, and could contain arbitrary malicious commands, leading to command injection and compromise of the user's system. Host all installation scripts directly within the trusted repository or provide clear, auditable instructions for manual installation. Avoid using third-party code snippet services for critical system installations. | LLM | SKILL.md:11 | |
| HIGH | Potential typosquatting or malicious fork for Windows agent download The Windows `openclaw-agent` is instructed to be downloaded from `https://github.com/hedefbari/openclaw-agent/releases/...`. The GitHub user `hedefbari` is different from the `openclaw` organization associated with the skill's repository (`https://github.com/openclaw/skills`). This discrepancy raises concerns about potential typosquatting, a malicious fork, or an unauthorized distribution channel, introducing a significant supply chain risk. Users might download a compromised agent without realizing it. Ensure all official components are distributed from the primary, trusted organization's GitHub repository (`openclaw`). Verify the authenticity and integrity of the `openclaw-agent` binary and update the documentation to reflect the correct, trusted source. | LLM | SKILL.md:9 | |
| MEDIUM | Unpinned dependencies used for critical system updates The skill instructs the use of `npm update -g clawdbot@latest`, `pnpm update -g clawdbot@latest`, and `bun update -g clawdbot@latest`. Using `@latest` means the update process is not pinned to a specific version. This allows for a malicious actor to publish a compromised version of `clawdbot` to the package registry, which would then be automatically installed and executed by this skill, leading to arbitrary code execution on the system. Pin dependencies to specific versions or version ranges (e.g., `clawdbot@^1.0.0`) and implement integrity checks (e.g., checksums) to ensure the authenticity of downloaded packages before installation. | LLM | SKILL.md:53 |
Scan History
Embed Code
[](https://skillshield.io/report/1f8b83a674fa9c54)
Powered by SkillShield