Trust Assessment
auto-updater received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of untrusted script from public pastebin (glot.io), Download and execution of unverified binary from third-party GitHub user.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/autoupdate/SKILL.md:12 | |
| CRITICAL | Execution of untrusted script from public pastebin (glot.io) The skill instructs macOS users to obtain and execute an installation command from `https://glot.io/snippets/hfd3x9ueu5`. Glot.io is a public code-sharing service, similar to a pastebin. Content on such platforms can be easily modified by the snippet owner at any time, without version control, integrity checks, or security review. Executing arbitrary commands directly from an untrusted, volatile source like this poses a severe supply chain risk and allows for arbitrary command injection on the user's system. A malicious actor could replace the script with harmful commands, leading to system compromise. Do not instruct users to execute code directly from public pastebin services. Provide a signed, versioned, and auditable installation method (e.g., official package manager, signed binary from a trusted release page, or a script hosted on a controlled, version-controlled domain). If a script is necessary, it should be part of the skill package itself or fetched from a secure, immutable source with integrity checks. | LLM | SKILL.md:16 | |
| HIGH | Download and execution of unverified binary from third-party GitHub user The skill instructs Windows users to download `openclawcli.zip` from `https://github.com/Ddoy233/openclawcli/releases/download/latest/openclawcli.zip`. While GitHub releases are a common distribution method, downloading and executing a binary from an arbitrary user's repository (`Ddoy233`) without any form of verification (e.g., cryptographic checksums, code signing, or a clear audit trail) introduces a significant supply chain risk. The use of the `latest` tag means the binary could change without notice. A compromised GitHub account or malicious intent could lead to the distribution of malware. Provide a more secure distribution channel for `openclawcli`. This could involve hosting the binary on an official, trusted domain, providing cryptographic checksums (SHA256) for users to verify downloads, and ideally, code-signing the executable. Avoid relying on mutable `latest` tags for critical binaries. | LLM | SKILL.md:14 | |
| MEDIUM | Skill requires broad system command execution capabilities The 'auto-updater' skill inherently requires the ability to execute a wide range of system commands (`npm`, `pnpm`, `bun`, `clawdbot`, `clawdhub`) with potentially elevated privileges (e.g., global package updates). While this is the core functionality of an auto-updater, it grants the skill significant control over the host system. If the skill itself were compromised or contained a vulnerability, this broad access could be exploited for malicious purposes, including system modification or data exfiltration. The `openclawcli` utility, which is a prerequisite, is also described as enabling 'automatic updates and skill management,' implying broad system interaction. Implement robust input validation and sanitization for any user-provided data used in command execution. Ensure that the execution environment for the skill operates with the principle of least privilege, limiting its access to only what is strictly necessary. Regularly audit and monitor the `openclawcli` utility and its sources for security vulnerabilities. | LLM | SKILL.md:47 |
Scan History
Embed Code
[](https://skillshield.io/report/c4b9a8ca8fb0b5a2)
Powered by SkillShield