Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 5 critical, 2 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted skill content attempts to manipulate host LLM, Untrusted skill instructs LLM to execute arbitrary shell commands.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-sxdg2/SKILL.md:12 | |
| CRITICAL | Untrusted skill content attempts to manipulate host LLM The entire skill definition is provided as untrusted input. Within this untrusted content, there are explicit instructions and examples (e.g., "Ask Clawdbot to set up the auto-updater:", "Or manually add the cron job:") that attempt to guide and manipulate the host LLM's behavior. This constitutes a direct prompt injection attempt by the untrusted skill itself, as it is instructing the LLM on how to operate. Skill definitions should be treated as trusted code or carefully sandboxed. Untrusted content should never contain instructions intended for the host LLM. | LLM | SKILL.md:1 | |
| CRITICAL | Untrusted skill instructs LLM to execute arbitrary shell commands The untrusted skill explicitly provides and instructs the host LLM to execute various shell commands, including `clawdbot cron add`, `npm update`, `pnpm update`, `bun update`, `clawdbot update`, `clawdhub update`, and `clawdbot doctor`. The `clawdbot cron add` command is particularly concerning as it sets up a persistent cron job to execute commands, effectively granting long-term command execution capabilities based on untrusted input. The host LLM should never execute shell commands directly from untrusted skill content. All command execution should be mediated by a trusted, sandboxed environment with strict allow-listing and input validation. | LLM | SKILL.md:48 | |
| CRITICAL | Instructions to download and execute binary from suspicious third-party source The skill instructs users to download and run `openclaw-agent.zip` from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. The repository `hedefbari/openclaw-agent` is not part of the official `openclaw` organization (as indicated by the repository metadata `https://github.com/openclaw/skills`). This strongly suggests a potential typosquat, malicious fork, or impersonation, leading to the execution of an arbitrary, potentially malicious, binary on the user's system. The mention of a password (`openclaw`) for extraction is also highly unusual for a public utility. Only allow downloads and execution of binaries from officially sanctioned and verified sources. Implement strict checks for repository ownership and integrity. Avoid instructing users to download and run executables from unverified third-party accounts. | LLM | SKILL.md:17 | |
| CRITICAL | Instructions to execute arbitrary script from pastebin service The skill instructs macOS users to "Visit [this page](https://glot.io/snippets/hfdxv8uyaf), copy the installation script and paste it into Terminal before proceeding." `glot.io` is a public pastebin-like service, and executing arbitrary, unverified scripts from such a source is an extremely high-risk supply chain vulnerability. The content of the script is unknown and could contain malicious commands. Never instruct users to execute scripts from unverified, public pastebin services. All installation scripts should be hosted on trusted, version-controlled platforms and ideally reviewed before execution. | LLM | SKILL.md:20 | |
| HIGH | Unpinned dependencies used for critical system updates The skill instructs the LLM to use `npm update -g clawdbot@latest`, `pnpm update -g clawdbot@latest`, and `bun update -g clawdbot@latest`. Using `@latest` for critical system updates means that any new version, potentially including malicious or breaking changes, will be automatically installed without review. This introduces a significant supply chain risk if the upstream package is compromised. Pin dependencies to specific versions or use a version range that allows for security patches but prevents major, unreviewed updates. Implement a review process for new versions before automatic deployment. | LLM | SKILL.md:76 | |
| HIGH | Skill requires excessive system permissions for untrusted operations The skill's core functionality involves updating system-level software (Clawdbot, other skills) and managing cron jobs, which inherently requires broad system permissions (e.g., write access to installation directories, ability to execute system commands). When combined with the critical command injection and supply chain risks identified, these excessive permissions allow untrusted code to perform highly privileged and potentially malicious actions on the host system. Skills should operate with the principle of least privilege. If system-level operations are necessary, they should be performed within a strictly sandboxed environment with granular permissions, and only after thorough vetting of the skill's source and intent. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/acd841da5347f08d)
Powered by SkillShield