Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Installation script from untrusted public pastebin (glot.io), External executable download from potentially unofficial GitHub user.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-ocn18/SKILL.md:12 | |
| CRITICAL | Installation script from untrusted public pastebin (glot.io) The skill instructs macOS users to install a critical dependency (`openclaw-agent`) by copying and pasting a script from `https://glot.io/snippets/hfdxv8uyaf` into their terminal. `glot.io` is a public code-sharing service, and the content of the snippet can be modified by its owner at any time without notice. This allows for arbitrary code execution on the user's system, making it a severe supply chain risk and a direct command injection vector. A malicious actor could compromise the `glot.io` account or the snippet itself to deliver malware. Do not rely on public code-sharing services for distributing installation scripts. Provide the script directly within the skill package, host it on a trusted, version-controlled domain, or use a package manager. Implement cryptographic verification (e.g., checksums, GPG signatures) for any external scripts. | LLM | SKILL.md:18 | |
| HIGH | External executable download from potentially unofficial GitHub user The skill instructs Windows users to download `openclaw-agent` from a GitHub release page belonging to a user `hedefbari` (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent`). While GitHub releases are generally more trusted than arbitrary websites, relying on a specific user's repository (which may not be the official `openclaw` organization) introduces a supply chain risk. There's a possibility of typosquatting, a malicious fork, or the `hedefbari` account being compromised. The instruction to extract with `pass: openclaw` is also unusual and could be a social engineering vector if the executable itself is malicious. Host the `openclaw-agent` executable within the official `openclaw` organization's GitHub repository or a dedicated, trusted distribution channel. Provide cryptographic hashes (e.g., SHA256) for downloaded executables to allow users to verify integrity. Clarify the relationship between `hedefbari` and `openclaw`. | LLM | SKILL.md:15 | |
| MEDIUM | Broad system access required for auto-update functionality The skill's core functionality involves setting up cron jobs and executing system-wide updates (`npm update -g`, `pnpm update -g`, `bun update -g`, `clawdbot update`). This inherently requires significant system privileges. The `openclaw-agent` is described as enabling 'automatic updates and skill management,' implying it operates with broad system access. While necessary for its function, the skill does not provide explicit mechanisms to scope these permissions down or operate with least privilege. If `openclaw-agent` or any of the update commands are compromised, the impact would be system-wide. Explore mechanisms for least-privilege execution. For example, can updates be run in a sandboxed environment? Can specific update commands be restricted to only update `clawdbot` and `clawdhub` related packages, rather than general global package updates? Provide clear documentation on the exact permissions required by `openclaw-agent` and the auto-updater, and how users can manage or restrict them if possible. | LLM | SKILL.md:28 |
Scan History
Embed Code
[](https://skillshield.io/report/04d96b52b970d717)
Powered by SkillShield