Back to skill

Security audit

Update Plus

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real maintenance tool, but it needs review because it can overwrite, delete, upload, and automatically update OpenClaw data with limited safeguards.

Install only if you are comfortable with a tool that can back up sensitive OpenClaw data, update installed skills from their git remotes, restore with overwrite/delete behavior, and optionally run unattended through cron. Verify the source and missing entrypoint before use, prefer dry-run/check first, encrypt backups before enabling cloud sync, keep remote_storage.path dedicated to this tool, and enable cron only if automatic future code changes are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents shell-executed operational capabilities such as git cloning, PATH modification, symlink creation, backups, restores, and updates, but no explicit permissions are declared. In an agent skill ecosystem, undeclared shell capability reduces transparency and weakens policy enforcement because users and orchestrators cannot accurately assess or constrain what the skill may execute.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose frames the skill as backup, update, and restore, but the documented behavior extends to cron persistence, third-party notifications, cloud upload, encryption/decryption, backup lifecycle cleanup, and diff/list operations. This mismatch is dangerous because users may grant trust for local maintenance while the skill also performs persistence, external data transmission, and destructive cleanup actions that materially expand risk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The cleanup routine automatically deletes remote files using rclone deletefile based solely on listing order and retention count, with no validation that the target path is dedicated to this tool's backups. If RCLONE_REMOTE or REMOTE_STORAGE_PATH is misconfigured, the script could delete unrelated remote data silently.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
A backup/restore/update tool can overwrite configuration, workspace contents, installed skills, and repository state, yet the documentation does not prominently warn users about destructive restore/update consequences. In this context, the skill is especially sensitive because it targets core OpenClaw directories, so omission of overwrite warnings increases the chance of accidental data loss or state corruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises cloud sync to Google Drive/S3/Dropbox and notifications to messaging targets without a clear privacy warning that backup contents, metadata, or contact identifiers may be transmitted to third parties. Because backups may contain config, workspace data, and skills, this omission can expose sensitive tokens, source code, or personal information if users enable these features without understanding the data flow.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Backup archives may contain sensitive configuration, workspace, and skill data, and the script proceeds to upload them remotely without an explicit user-facing disclosure or interactive confirmation at execution time. In an agent skill context, this increases the risk of unintentional data exfiltration to a configured remote destination.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Automatic remote deletion is materially riskier than local cleanup because it affects external storage and may remove data beyond the user's immediate visibility. Without explicit warning or confirmation, a misconfigured remote path or unexpected file listing can lead to silent destructive actions against remote data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function installs a persistent cron entry by writing directly to the user's crontab without any explicit confirmation or dry-run step. Even if intended as a convenience feature, silent persistence changes are security-relevant because they create recurring execution of update logic and can surprise users or be abused if the script path or update behavior is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The uninstall path rewrites the user's crontab non-interactively and removes lines matching broad string filters. This can unexpectedly alter scheduled tasks and, because it pipes filtered output directly back into crontab, mistakes or collisions in matching could remove unrelated entries.

Session Persistence

Medium
Category
Rogue Agent
Content
# Append to crontab
  {
    crontab -l 2>/dev/null || true
    echo ""
    echo "$cron_comment"
    echo "$cron_cmd"
Confidence
95% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
log_info "Removing cron job..."

  # Remove lines containing update-plus
  crontab -l 2>/dev/null | grep -v "update-plus" | grep -v "Update Plus" | crontab -

  log_success "Cron job removed!"
  return 0
Confidence
92% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
# Version: 4.0.3
# For OpenClaw

# Install cron job for automatic updates
install_cron() {
  local cron_schedule="${1:-0 2 * * *}"  # Default: 2 AM daily
  local script_path="${SCRIPT_DIR}/update-plus"
Confidence
74% confidence
Finding
Install cron job for

Self-Modification

High
Category
Rogue Agent
Content
# Update all skills
update_skills() {
  if [[ "$DRY_RUN" == true ]]; then
    log_dry_run "Would update skills"
    log_info "Checking for skill updates..."
    update_git_skills
    return 0
Confidence
96% confidence
Finding
update skill

Self-Modification

High
Category
Rogue Agent
Content
update_git_skills
}

# Update skills via git pull
update_git_skills() {
  local skills_dirs_json=$(get_skills_dirs)
Confidence
97% confidence
Finding
Update skill

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.