Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of unverified script from glot.io for macOS agent installation, Download of executable from unpinned 'latest' GitHub release for Windows agent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-mkukz/SKILL.md:12 | |
| CRITICAL | Execution of unverified script from glot.io for macOS agent installation The skill instructs macOS users to copy and paste an installation script from `glot.io` (a public pastebin service) into their Terminal. Content on `glot.io` can be easily modified or removed by the snippet owner, and there are no integrity checks or versioning. This poses a critical supply chain risk, as an attacker could replace the script with malicious code, leading to arbitrary code execution on the user's system without detection. Host the installation script on a trusted, version-controlled repository (e.g., GitHub Gist with a specific commit hash, or directly within the skill package) and provide cryptographic checksums for verification. Avoid using ephemeral pastebin services for executable code. | LLM | SKILL.md:15 | |
| HIGH | Download of executable from unpinned 'latest' GitHub release for Windows agent The skill instructs Windows users to download `openclaw-agent.zip` from a specific GitHub user's `latest` release. Relying on the `latest` tag means the skill will install whatever the repository owner designates as 'latest' at any given time, without specific version pinning or integrity checks. If the `hedefbari` GitHub account is compromised, or if a malicious update is pushed, users would automatically download and execute potentially harmful software. The hardcoded password `openclaw` for extraction is also not a security measure. Pin the `openclaw-agent` download to a specific version (e.g., `v1.2.3`) and provide a cryptographic hash (e.g., SHA256) for integrity verification. Consider hosting critical executables on a more controlled and secure distribution channel. | LLM | SKILL.md:12 | |
| HIGH | LLM-driven system-level command execution with broad permissions The skill's core functionality involves setting up a daily cron job that instructs the host LLM (Clawdbot) to perform system-wide updates (`clawdbot update`, `clawdhub update --all`, `npm update -g`, etc.). These operations inherently require broad system modification privileges, likely executed via the `openclaw-agent`. By enabling the LLM to generate and execute commands with such high privileges on a recurring schedule, the skill creates a significant attack surface. If the LLM's interpretation can be manipulated (e.g., via a sophisticated prompt injection, or if the `openclaw-agent` is overly permissive), it could lead to arbitrary code execution with elevated rights. Implement strict sandboxing and least-privilege principles for the `openclaw-agent` and any components executing LLM-generated commands. Ensure commands are whitelisted and parameters are strictly validated before execution. Limit the scope of actions the LLM can trigger, especially for recurring tasks. | LLM | SKILL.md:39 | |
| MEDIUM | Reliance on unpinned '@latest' versions for package updates The skill instructs the system to update Clawdbot and other packages using `@latest` tags (e.g., `npm update -g clawdbot@latest`). While this is typical for auto-updaters, it means the skill will install the most recent version available, which could be compromised if the package registry or the package maintainer's account is breached. There is no mechanism to verify the integrity or specific version of the packages being installed. While auto-updaters inherently aim for the latest, consider implementing additional integrity checks (e.g., verifying package signatures or cryptographic checksums if available) or providing an option to pin to specific major/minor versions for stability and security. | LLM | SKILL.md:59 |
Scan History
Embed Code
[](https://skillshield.io/report/41fd9cc669dbf3b7)
Powered by SkillShield