Trust Assessment
update-plus received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 25 findings: 16 critical, 4 high, 5 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: Crontab modification.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings25
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:26 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:30 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:43 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:51 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:59 | |
| CRITICAL | Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:67 | |
| CRITICAL | Persistence / self-modification instructions Piping content into crontab Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/hopyky/update-plus/bin/lib/cron.sh:47 | |
| CRITICAL | Command Injection via eval with rsync arguments The script uses `eval` to execute an `rsync` command, where the arguments (`$rsync_args`) are constructed from user-controlled configuration values (`.exclude` array in `update-plus.json`). An attacker able to modify the configuration file could inject arbitrary shell commands into the `exclude` array, which would then be executed by `eval`. Avoid using `eval` with user-controlled input. Instead, construct the `rsync` command and its arguments as an array and execute it directly, or rigorously sanitize all input to prevent shell metacharacters from being interpreted as commands. | LLM | bin/lib/backup.sh:64 | |
| CRITICAL | Command Injection via GPG recipient The `gpg --encrypt` command uses `$GPG_RECIPIENT` directly, which is loaded from the `encryption.gpg_recipient` field in `update-plus.json`. If an attacker can modify this configuration value, they could inject shell commands that would be executed when `gpg` is called. Sanitize `$GPG_RECIPIENT` to ensure it contains only valid GPG recipient identifiers, or use an array to pass arguments to `gpg` to prevent shell interpretation. | LLM | bin/lib/backup.sh:100 | |
| CRITICAL | Command Injection via rclone remote path The `rclone copy` and `rclone lsf` commands use `$RCLONE_REMOTE` and `$REMOTE_STORAGE_PATH` directly, which are loaded from the `remote_storage` section in `update-plus.json`. An attacker who can modify these configuration values could inject shell commands that would be executed when `rclone` is called. Sanitize `$RCLONE_REMOTE` and `$REMOTE_STORAGE_PATH` to ensure they contain only valid rclone remote and path components, or use an array to pass arguments to `rclone`. | LLM | bin/lib/backup.sh:119 | |
| CRITICAL | Command Injection in crontab entry The `install_cron` function constructs a cron command string (`$cron_cmd`) using `$cron_schedule` (a function argument) and `$log_path` (derived from configuration). This string is then piped to `crontab -`. An attacker who can control the `$cron_schedule` argument or modify the `backup_dir` in `update-plus.json` (affecting `$log_path`) could inject arbitrary shell commands into the crontab entry, leading to periodic execution of malicious code. Rigorously validate and sanitize `$cron_schedule` to ensure it adheres strictly to cron syntax. Sanitize `$log_path` to ensure it is a valid file path without shell metacharacters. Avoid direct string concatenation for cron entries; consider using a safer method or strict input validation. | LLM | bin/lib/cron.sh:21 | |
| CRITICAL | Command Injection via openclaw message arguments The `openclaw message send` command uses `$NOTIFY_TARGET` (from `update-plus.json`) and `$message` (which can include `$details` from a function argument) directly. If an attacker can modify the `notifications.target` in the config or provide malicious `$details` to `send_notification`, they could inject shell commands into the `openclaw` command execution. Sanitize `$NOTIFY_TARGET` and `$message` to prevent shell metacharacters, or use an array to pass arguments to the `openclaw` command. | LLM | bin/lib/notify.sh:70 | |
| CRITICAL | Command Injection via GPG decrypt backup path The `gpg --decrypt` command uses `$backup_path`, which is derived from `$backup_id` (a user-provided function argument). If an attacker provides a crafted `backup_id` containing shell metacharacters, they could inject commands that would be executed during the decryption process. Sanitize `$backup_id` to ensure it is a valid filename without shell metacharacters, or use an array to pass arguments to `gpg`. | LLM | bin/lib/restore.sh:80 | |
| CRITICAL | Command Injection via rsync target path in restore The `rsync` commands in `restore_legacy_backup` and `restore_labeled_backup` use `$skills_dir` and `$target` respectively, which are derived from configuration (`SKILLS_DIRS_JSON`, `backup_paths`) or hardcoded defaults. If an attacker can modify these configuration values, they could inject shell commands into the `rsync` execution, potentially overwriting critical system files or executing arbitrary code. Sanitize all paths derived from configuration or user input to ensure they are valid directory paths without shell metacharacters. Use arrays for `rsync` arguments to prevent shell interpretation. | LLM | bin/lib/restore.sh:108 | |
| CRITICAL | Command Injection via rsync source label in restore In `restore_labeled_backup`, the `rsync` command uses `$label` (derived from `basename "$dir"`) as part of the source path. If a malicious backup archive contains directories with names containing shell metacharacters (e.g., `'; rm -rf /;'`), these characters could be interpreted as commands when used in the `rsync` command, leading to arbitrary code execution. Sanitize `$label` to ensure it is a valid directory name without shell metacharacters before using it in `rsync`. This can be done by validating the extracted directory names or by using an array for `rsync` arguments. | LLM | bin/lib/restore.sh:170 | |
| CRITICAL | Command Injection via df path argument The `df` command in `get_available_disk_space` uses `$path` (a function argument, defaulting to `$BACKUP_DIR` from configuration). If an attacker can modify the `backup_dir` in `update-plus.json`, they could inject shell commands into the `df` execution. Sanitize `$path` to ensure it is a valid directory path without shell metacharacters. | LLM | bin/lib/utils.sh:64 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hopyky/update-plus/bin/lib/cron.sh:43 | |
| HIGH | Persistence mechanism: Crontab modification Detected Crontab modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/hopyky/update-plus/bin/lib/cron.sh:67 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/hopyky/update-plus/bin/lib/restore.sh:110 | |
| HIGH | Unpinned dependency updates for OpenClaw The skill updates the `openclaw` core using `npm install -g openclaw@latest`, `pnpm add -g openclaw@latest`, etc. This fetches the latest version without specific pinning. If the package registry or the `openclaw` package maintainer's account is compromised, malicious code could be introduced and automatically installed. Implement version pinning for `openclaw` updates (e.g., `openclaw@^X.Y.Z`) or use a more controlled update mechanism that involves review or cryptographic verification. | LLM | bin/lib/update.sh:139 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/hopyky/update-plus/bin/lib/config.sh:11 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/hopyky/update-plus/bin/lib/cron.sh:16 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/hopyky/update-plus/bin/lib/restore.sh:155 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/hopyky/update-plus/bin/lib/utils.sh:49 | |
| MEDIUM | Unpinned dependency updates for skills via git The skill updates individual skills using `git fetch` and `git pull --ff-only` without specifying a particular branch, tag, or commit hash. This means it always pulls the latest changes from the remote. If a skill's remote Git repository is compromised, malicious code could be introduced into the user's environment. Implement version pinning for skill updates (e.g., by checking out specific tags or commit hashes) or use a mechanism that verifies the integrity of the fetched code. | LLM | bin/lib/update.sh:51 |
Scan History
Embed Code
[](https://skillshield.io/report/adcf5dc1f58352dd)
Powered by SkillShield