Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned external executable download, Arbitrary external script execution via pastebin.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-se38e/SKILL.md:12 | |
| CRITICAL | Unpinned external executable download The skill instructs users to download an executable (`openclaw-agent.zip`) from a 'latest' release URL on GitHub. This URL is unpinned, meaning the content can change at any time without user awareness, posing a significant supply chain risk. An attacker could replace the 'latest' release with malicious software, leading to arbitrary code execution on the user's system. Pin the `openclaw-agent` download to a specific, immutable version (e.g., a specific tag or commit hash) and provide checksums for verification. Recommend official, signed binaries if available, and host them on a trusted domain. | LLM | SKILL.md:17 | |
| CRITICAL | Arbitrary external script execution via pastebin The skill instructs macOS users to copy and paste an installation script from `glot.io`, a public code-sharing service. Content on such platforms can be easily modified by the snippet owner or an attacker, leading to arbitrary code execution on the user's system with potentially elevated privileges. Avoid instructing users to copy and paste scripts from unverified, mutable sources like pastebins. Provide official, signed installation methods or package manager instructions. If a script is absolutely necessary, host it securely on a trusted domain and provide checksums for integrity verification. | LLM | SKILL.md:20 | |
| HIGH | Potential prompt injection in cron job message The skill defines a cron job with a `--message` argument containing natural language instructions. If the `clawdbot` system uses an LLM to process this message (e.g., to generate the update summary), a malicious skill could craft this message to perform prompt injection against the `clawdbot` LLM, potentially manipulating its behavior or extracting sensitive information. Implement strict sanitization and validation for any user- or skill-provided natural language input that is fed into an LLM. Consider using structured data or templates for LLM interactions rather than raw natural language messages for system-generated summaries. | LLM | SKILL.md:49 | |
| HIGH | Reliance on external agent with excessive privileges The skill's core functionality (system and skill updates, cron management) relies on an external utility, `openclaw-agent`, which is described as enabling 'automatic updates and skill management.' The installation instructions for this agent involve downloading an unverified executable or running an arbitrary script, implying it will operate with significant, potentially system-level, privileges. This broad scope, combined with the insecure distribution method, creates a high-risk scenario. Re-evaluate the necessity of a separate, high-privilege `openclaw-agent`. If essential, ensure it is distributed securely (e.g., via official package managers, signed binaries) and operates with the principle of least privilege. Clearly document its required permissions and provide a robust security model for its operation. | LLM | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/9b01990b761ff22b)
Powered by SkillShield