Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned executable download from untrusted source, Installation script from untrusted pastebin service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/auto-updater-xsunp/SKILL.md:12 | |
| CRITICAL | Unpinned executable download from untrusted source The skill instructs users to download the `openclaw-agent.zip` executable from `https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`. This presents multiple critical supply chain risks:
1. The `hedefbari` GitHub user/organization is not the official `openclaw` organization, raising trust concerns about the source of the executable.
2. The use of `/latest/` in the download URL means the executable is unpinned. A malicious actor who gains control of the `hedefbari` repository could replace the `latest` release with a compromised version, leading to arbitrary code execution on the user's system without explicit user consent or notification.
3. The public password `openclaw` for extraction offers no security, only minor obfuscation. Host `openclaw-agent` executables on an official, trusted domain/CDN. Provide cryptographically signed binaries and pin to specific, immutable versions (e.g., `v1.0.0/openclaw-agent.zip`) with checksums for verification. Avoid using `latest` tags for executable downloads. Clarify the relationship between `hedefbari` and the official `openclaw` project if applicable. | LLM | SKILL.md:16 | |
| CRITICAL | Installation script from untrusted pastebin service For macOS, users are instructed to "Visit [this page](https://glot.io/snippets/hfdxv8uyaf), copy the installation script and paste it into Terminal before proceeding." `glot.io` is a public code-sharing platform (pastebin). Copying and executing arbitrary scripts from such a service is extremely dangerous. The content of the script can be changed at any time by the snippet owner, leading to arbitrary code execution with the user's privileges. There is no version control, checksum, or official verification mechanism, making it a prime target for supply chain attacks. Provide a signed, versioned installer package or a script hosted on an official, trusted domain/CDN with a checksum for integrity verification. Never instruct users to copy-paste arbitrary code from public pastebin services into their terminal. | LLM | SKILL.md:18 | |
| HIGH | Skill requires broad system-level execution capabilities via external agent The skill's core functionality, auto-updating Clawdbot and other skills, relies on the `openclaw-agent` utility to perform system-wide updates (`npm update -g`, `clawdbot update`, `clawdhub update --all`) and manage cron jobs. This inherently grants `openclaw-agent` broad permissions to execute shell commands and modify system files. While this is the intended purpose of an auto-updater, the reliance on an externally sourced and potentially untrusted agent (as identified in the supply chain risks) with such capabilities creates a significant attack surface. If `openclaw-agent` itself is compromised or if the commands it's instructed to run are maliciously crafted (e.g., via a compromised update server for `clawdbot` or `clawdhub`), it could lead to arbitrary code execution and full system compromise. Ensure `openclaw-agent` is developed with a strong security posture, implementing sandboxing and least-privilege principles where possible. Implement robust integrity checks for all commands executed by `openclaw-agent`. Provide clear documentation on the security implications and required permissions. Crucially, address the identified supply chain risks for `openclaw-agent` installation to ensure the agent itself is trustworthy. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/438559a8bea4886e)
Powered by SkillShield