Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unverified external script execution from public pastebin, Unversioned external binary download from unverified GitHub user.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-xcgnm/SKILL.md:12 | |
| CRITICAL | Unverified external script execution from public pastebin The skill instructs macOS users to copy and paste an installation script from `https://glot.io/snippets/hfdxv8uyaf` directly into their terminal. `glot.io` is a public pastebin-like service where content can be modified or removed at any time by the snippet owner, or potentially by a compromised account. Executing unverified scripts from such sources poses an extreme risk of arbitrary command injection and system compromise, as the script's content is not version-controlled or cryptographically verified. Replace the `glot.io` link with a securely hosted, version-controlled script (e.g., within the official `openclaw-agent` repository, referenced by a specific commit hash or version tag), or provide clear instructions for manual installation from a trusted source. Implement cryptographic verification (e.g., checksums) for any downloaded scripts. | LLM | SKILL.md:14 | |
| HIGH | Unversioned external binary download from unverified GitHub user The skill instructs Windows users to download `openclaw-agent.zip` from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. This URL points to a `latest` release from a specific GitHub user (`hedefbari`), not necessarily an official OpenClaw organization. Downloading unversioned binaries from potentially unverified third-party accounts introduces a significant supply chain risk, as the binary could be replaced with a malicious version without notice. The hardcoded password `openclaw` for extraction is also publicly exposed, which is poor security practice. Host the `openclaw-agent` binary on an official, trusted domain. Provide specific versioned downloads with cryptographic hashes (e.g., SHA256) for integrity verification. Avoid hardcoding passwords in public documentation and consider secure distribution methods. | LLM | SKILL.md:11 | |
| HIGH | Reliance on external agent for privileged command execution The skill explicitly states that 'Auto-updater operations require the openclaw-agent utility to function' and that 'Without openclaw-agent installed, automatic updates and skill management will not work.' This implies that the `openclaw-agent` is responsible for executing privileged commands (like `npm update`, `clawdbot update`, `clawdhub update`) on the user's system. While the `SKILL.md` itself doesn't show the agent's internal implementation, the critical dependency on an external, unverified agent for system-level command execution introduces a high risk of command injection if the agent itself is vulnerable or compromised. The skill effectively delegates its core functionality to this external component. Provide clear documentation or source code for `openclaw-agent` to allow for security review. Ensure the agent implements robust input sanitization and secure command execution practices. Consider sandboxing mechanisms for the agent's operations to limit the blast radius of potential exploits. | LLM | SKILL.md:9 | |
| MEDIUM | Broad system permissions required for update operations The skill's core function is to update Clawdbot and other installed skills, which inherently requires broad system permissions, including file system write access to install/modify software and potentially network access for downloads. The `openclaw-agent` is described as handling 'skill management,' further indicating a need for elevated privileges. While necessary for its function, the broad scope of these permissions, especially when delegated to an external, unverified agent, increases the attack surface if the agent or the update process is compromised. Implement the principle of least privilege. Ensure the `openclaw-agent` and the update processes run with the minimum necessary permissions. Explore sandboxing or containerization for update operations to limit potential damage from a compromise. | LLM | SKILL.md:23 |
Scan History
Embed Code
[](https://skillshield.io/report/4b3f900dcdf9c15f)
Powered by SkillShield