Trust Assessment
openclaw-auto-updater received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill schedules direct shell command execution, Skill provides direct instructions to LLM agent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill schedules direct shell command execution The skill uses `openclaw cron add` to schedule tasks where the `--message` argument contains direct shell commands (e.g., `openclaw update`, `clawdhub update`). The `openclaw` agent is expected to parse and execute these commands. This mechanism allows the skill, via its untrusted content, to directly execute arbitrary shell commands on the host system. While the commands provided in this skill are benign updates, this capability represents a significant security surface, as a malicious skill could schedule arbitrary system commands. Ensure that the `openclaw` agent's execution of `--message` content is sandboxed, uses a restricted shell, or validates commands against an allow-list. Implement robust input validation and command sanitization to prevent malicious command injection through the `message` parameter. | LLM | SKILL.md:20 | |
| INFO | Skill provides direct instructions to LLM agent The skill utilizes the `openclaw cron add --message` parameter to provide direct instructions to the `openclaw` agent. If the `openclaw` agent is an LLM, these messages serve as prompts, instructing the LLM to perform specific actions like "report versions updated + errors" or "summarize changes." This is the intended functionality of the skill to schedule agent tasks. While not inherently malicious in this context, it highlights that the skill's untrusted content directly dictates LLM behavior. No direct remediation needed for this skill, as it's intended behavior. However, the `openclaw` agent should be designed with robust prompt handling, sandboxing, and validation to prevent malicious instructions from being executed if the `message` parameter were ever to be sourced from untrusted user input. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/3f3e8f878a7758d4)
Powered by SkillShield