Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted/Unpinned Third-Party Binary Download (Windows), Installation Script from Public Pastebin (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-gw6f5/SKILL.md:12 | |
| CRITICAL | Installation Script from Public Pastebin (macOS) The skill instructs macOS users to install 'openclaw-agent' by visiting 'https://glot.io/snippets/hfdxv8uyaf', copying an installation script, and pasting it into Terminal. `glot.io` is a public code pastebin service where snippet content can be modified by the owner at any time without notice. Executing arbitrary scripts from such a volatile and untrusted source poses a severe risk of arbitrary code execution, potentially with elevated privileges, as the agent is critical for 'automatic updates and skill management.' 1. Immediately remove the instruction to use `glot.io` for installation. 2. Provide a secure, version-controlled, and officially hosted installation method (e.g., a script within the skill package itself, or a script hosted on a trusted `openclaw` domain with checksums). 3. If a script is necessary, ensure it is pinned to a specific version and its integrity can be verified. | LLM | SKILL.md:12 | |
| HIGH | Untrusted/Unpinned Third-Party Binary Download (Windows) The skill instructs users to download 'openclaw-agent.zip' from 'https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip'. The GitHub organization 'hedefbari' is not 'openclaw', suggesting a third-party or potentially typosquatted source. Downloading from '/latest' means the binary is unpinned and its content can change at any time without user review, leading to potential arbitrary code execution. The 'openclaw-agent' is described as enabling 'automatic updates and skill management,' implying it runs with significant privileges. 1. Verify the authenticity and ownership of the `hedefbari/openclaw-agent` repository. If it's not an official `openclaw` project, replace it with a trusted source or remove the dependency. 2. Pin the version of `openclaw-agent` to a specific release tag (e.g., `v1.2.3`) instead of `latest` to ensure deterministic downloads and allow for security review. 3. Provide checksums (e.g., SHA256) for the downloaded binary to allow users to verify its integrity. | LLM | SKILL.md:10 | |
| HIGH | Mandated Installation of High-Privilege External Agent The skill explicitly states that `openclaw-agent` is required for its functionality, enabling 'automatic updates and skill management.' This agent likely operates with significant system privileges (e.g., modifying system files, executing processes, scheduling cron jobs). While these permissions are necessary for an auto-updater, the skill mandates the installation of an external, potentially untrusted component (as identified in SS-SCL-001 and SS-SCL-002) that operates with such broad access. This increases the attack surface and the potential impact of vulnerabilities in `openclaw-agent` or its installation process. 1. Address the supply chain risks associated with `openclaw-agent`'s distribution (SS-SCL-001, SS-SCL-002). 2. Clearly document the exact permissions and capabilities `openclaw-agent` requires and why. 3. Explore if the `openclaw-agent` functionality can be integrated more securely into the `clawdbot` ecosystem or if its privileges can be minimized. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/4582abd6d2595b0e)
Powered by SkillShield