ClawHub

Auto-Update (OpenClaw + Skills)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed auto-updater that can make recurring OpenClaw and skill changes, but its persistence and update authority match its purpose and are described with approval gates.

Install only if you want ongoing update automation. Review the exact cron entry before approving it, choose notify/manual or all-out mode if you want tighter control, keep migration pauses enabled, and do not include credential folders in backups unless you intentionally want that sensitive data copied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The line "If the user says 'just handle it,' default to Instant daily" permits enabling a real scheduled auto-update flow based on an ambiguous utterance rather than explicit, informed consent for cron creation and automated changes. In this skill's context, that is risky because the skill can create persistent scheduled tasks and later apply software and skill updates, so a vague phrase can escalate into standing authorization for ongoing modifications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill explicitly instructs creation of a persistent daily scheduled task that can perform system-modifying actions, including applying OpenClaw and skill updates, creating backups, and writing logs, but it does not include clear user-facing safety warnings about persistence, execution scope, rollback expectations, or the risks of unattended updates. In a scheduler/persistence context, omission of these warnings is security-relevant because it normalizes recurring privileged changes and can reduce informed consent, especially if a skill update later introduces unsafe or incompatible behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "just set it up" is ambiguous and broad enough to match common conversational language without clearly establishing informed consent for enabling automatic updates. In this skill, that ambiguity is more dangerous because the fast path changes multiple security-relevant behaviors at once, including automatic core updates and default auto-enrollment of new skills, which could cause users to authorize more automation than they intended.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The report templates describe applying OpenClaw and skill updates, creating backups, and running scheduled automation, but they do not clearly warn the user that these actions change system state and may affect installed skills or workflows. In an auto-update skill, omission of explicit consent and impact messaging can normalize unattended changes and reduce a user's ability to assess risk before updates occur.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The snippet instructs the agent to write user preferences to `~/auto-update/skills.md` and read defaults from `~/auto-update/memory.md`, but it does not require explicit user notice or confirmation before modifying files in the user's home directory. Even though the surrounding text says to only propose the snippet in limited cases, once adopted it normalizes silent persistence in user-controlled files, which can surprise users and create unauthorized state changes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal