ClawHub

Xiaopi Auto Updater

Security checks across malware telemetry and agentic risk

Overview

This is an openly described auto-updater, but it gives a persistent daily job broad power to change Clawdbot and every installed skill without per-update approval.

Install only if you intentionally want Clawdbot and every installed skill to update automatically on a recurring schedule. Safer use would start with dry-runs or manual approval, restrict updates to trusted or pinned sources, keep summaries local or choose delivery carefully, and confirm you know how to disable the cron job before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill sets up unattended recurring updates that modify the bot installation and all installed skills, but the description does not clearly warn users that software and skill files will be changed automatically on a schedule. That omission undermines informed consent and increases the chance users enable a high-trust automation without understanding that future registry or package-manager changes will be pulled and applied unattended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs the agent to set up unattended updates that modify the installed bot and all skills on a schedule, but it does not explicitly warn the user that this will cause recurring changes to their environment without per-update approval. Automatic package and skill updates can introduce breaking changes or malicious upstream code, so the missing warning and consent step materially increases risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The cron configuration includes delivery/reporting of update summaries, but the guide does not warn that logs and summaries may contain package names, versions, errors, paths, or other system details that will be sent through the configured delivery channel. This creates a privacy and operational exposure, especially if messages are delivered to third-party providers or shared accounts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup confirmation explicitly enables unattended daily updates of the core bot and all installed skills, but it does not warn the user that software will be modified automatically without per-run approval. In an auto-updater context, that omission matters because it can reduce informed consent around supply-chain changes and unexpected behavior introduced by updated code.

Self-Modification

High
Category
Rogue Agent
Content
# Capture new version
CLAWDBOT_VERSION_AFTER=$(clawdbot --version 2>/dev/null || echo "unknown")

# Update skills
log "Updating skills via ClawdHub..."
SKILL_OUTPUT=$(clawdhub update --all 2>&1) || true
echo "$SKILL_OUTPUT" >> "$LOG_FILE"
Confidence
97% confidence
Finding
Update skill

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal