ClawHub
Back to skill
v0.2.1

qwencloud-update-check

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 2:22 PM.

Analysis

The skill mostly matches its update-checking purpose, but it emits auto-confirm, unpinned install/update commands and uses shared persistent state that other qwencloud skills can act on.

GuidanceUse this skill only if you are comfortable with it checking GitHub and writing `.agents/state.json`. Do not allow an agent to run the suggested `npx skills add ... -y` command automatically; verify the repository and prefer pinned, explicit updates.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceMediumStatusConcern
scripts/gossamer.py
skill_args = " ".join(skills) if skills else ""
return f"npx skills add {_SKILLS_REPO} --skill {skill_args} -y"

The helper builds a shell command from local `skills-lock.json` skill names and includes `-y` auto-confirm. It prints the command for users or agents to run, but the skill names are only prefix-filtered and not shell-quoted.

User impactIf a user or another agent runs the emitted command automatically, it could install or update skills with minimal confirmation and may be unsafe if the local lock data is malformed or manipulated.
RecommendationDo not let an agent run the emitted `npx` command automatically. The publisher should validate skill names strictly, quote arguments safely, and avoid `-y` unless the user explicitly confirms.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceMediumStatusConcern
scripts/gossamer.py
_SKILLS_REPO = "QwenCloud/qwencloud-ai"
INSTALL_CMD = f"npx skills add {_SKILLS_REPO} --skill qwencloud-update-check -y"

The suggested installation/update source is a repository reference rather than a pinned version or commit, and the command uses auto-confirm. This creates a mutable supply-chain dependency for updates.

User impactRunning the suggested update command may install whatever the referenced repository serves at that time, not a reviewed or pinned artifact.
RecommendationVerify the repository before installing, prefer pinned versions or commit hashes, and avoid auto-confirmed updates unless the source is trusted.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/gossamer.py
proc = subprocess.run(
    [sys.executable, str(script), "--print-response"],
    capture_output=True, text=True, timeout=15,
)

The helper executes the bundled update-check script through Python subprocess. The arguments are fixed and this is purpose-aligned, but users should know the skill is not purely declarative.

User impactUsing the helper runs local Python code from the skill package.
RecommendationReview the bundled scripts before use and keep subprocess execution limited to fixed, local files as implemented here.
Cascading Failures
SeverityLowConfidenceMediumStatusNote
scripts/gossamer.py
return sorted(k for k in skills if k.startswith("qwencloud-"))
...
return f"npx skills add {_SKILLS_REPO} --skill {skill_args} -y"

The update command can include all installed `qwencloud-` skills from the lock file, so one accepted update prompt may affect multiple skills in the pack.

User impactA problematic update could impact several qwencloud skills rather than only this update checker.
RecommendationUpdate only the specific skills you intend to update, and prefer staged or pinned updates for larger skill packs.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
scripts/gossamer.py
print(
    f"[ACTION_REQUIRED] qwencloud-update-check skill is not installed. "
    f"Install: {INSTALL_CMD}",
    file=sys.stderr,
)

The wording `ACTION_REQUIRED` and an auto-confirm install command may make an optional installation feel mandatory, even though it is an update-helper prompt.

User impactUsers may be nudged to run the install command without reviewing whether they need it or trust the source.
RecommendationTreat the prompt as a recommendation, not a requirement, and review the command before running it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Records the check timestamp (`last_interaction`) in `<repo_root>/.agents/state.json` to rate-limit network requests to once every 24 hours.

The skill stores persistent state that survives sessions and is shared with `gossamer.py`. It does not store sensitive content, but that state can influence future update prompts.

User impactA local state value can suppress or allow future update notifications across sessions.
RecommendationKeep `.agents/state.json` under normal workspace integrity controls and inspect it if update prompts behave unexpectedly.
Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
scripts/gossamer.py
emits structured
signals to stderr that agents can parse and act on:

  [ACTION_REQUIRED]
  [UPDATE_AVAILABLE]

The helper communicates with other agent flows through parseable stderr signals. This is disclosed and limited to update/install notifications, but origin and action boundaries depend on the consuming agent.

User impactAnother agent or skill may treat these emitted messages as instructions to prompt for or perform updates.
RecommendationRequire explicit user approval before any consuming agent acts on `[ACTION_REQUIRED]` or `[UPDATE_AVAILABLE]` messages.