Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Skill instructs LLM to execute shell commands, Cron job message contains direct LLM instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-hfmct/SKILL.md:12 | |
| HIGH | Skill instructs LLM to execute shell commands The skill's setup instructions include a `clawdbot cron add` command, which is a shell command. If the host LLM is instructed to set up the auto-updater, it will execute this shell command. This command then configures a cron job that will subsequently execute further shell commands (e.g., `npm update`, `clawdhub update`) via the `openclaw-agent`. This constitutes a direct command injection vector, as the skill is instructing the LLM to perform system-level shell execution. Ensure that any shell commands executed by the LLM are strictly validated and sandboxed. If the LLM is intended to configure system services, ensure it uses a secure API or a highly restricted execution environment. For cron jobs, consider using a declarative configuration rather than direct shell command execution. | LLM | SKILL.md:38 | |
| HIGH | macOS agent installation uses unverified external script The macOS prerequisite instructions direct users to download and execute a script from `https://glot.io/snippets/hfdxv8uyaf`. `glot.io` is a public code snippet hosting service. The content of this script is not provided within the skill package, is not version-controlled by the skill's author, and could be altered by a third party at any time. Executing arbitrary code from an unverified external source poses a significant supply chain risk, potentially leading to arbitrary code execution on the user's system. Host the installation script directly within the skill package or a trusted, version-controlled repository. Provide a cryptographic hash (e.g., SHA256) for users to verify the script's integrity before execution. Avoid relying on ephemeral or unverified third-party snippet hosting services for critical installation steps. | LLM | SKILL.md:18 | |
| MEDIUM | Cron job message contains direct LLM instructions The `clawdbot cron add` command includes a `--message` parameter: "Run daily auto-updates: check for Clawdbot updates and update all skills. Report what was updated.". This message is likely intended to be processed by the host LLM when the cron job runs, instructing it on what actions to perform or summarize. This demonstrates a prompt injection vector where the skill can directly inject instructions into the LLM's processing flow via a scheduled task. While the current message is benign, this mechanism could be exploited if the message content were controllable by an attacker or if it contained malicious instructions. If the `--message` parameter is processed by an LLM, it should be treated as untrusted input and sanitized or restricted to prevent arbitrary instruction injection. Consider using structured data or a limited set of predefined commands for cron job messages intended for LLM processing, rather than free-form natural language. | LLM | SKILL.md:45 | |
| MEDIUM | Windows agent download uses unpinned 'latest' release The Windows prerequisite instructions link to `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. Using `/latest` in the download URL means that the specific version of `openclaw-agent` is not pinned. While GitHub releases are generally more reliable than arbitrary snippet sites, relying on `latest` introduces a supply chain risk. A malicious actor could potentially compromise the `openclaw-agent` repository or release process to push a malicious `latest` version, which would then be downloaded and executed without explicit version verification. Pin the `openclaw-agent` download to a specific version (e.g., `v1.0.0/openclaw-agent.zip`) and provide a cryptographic hash for verification. Update the pinned version only after thorough review and testing. | LLM | SKILL.md:15 |
Scan History
Embed Code
[](https://skillshield.io/report/3d565a202d86ddc1)
Powered by SkillShield