ClawHub

Linux Patcher

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for server patching, but it can automatically change multiple remote hosts and Docker containers with powerful credentials and weak confirmation boundaries.

Install only if you intentionally want OpenClaw to perform server maintenance. Start with dry-run on staging hosts, require explicit host scope and confirmation before applying updates, make Docker updates opt-in for production, replace broad sudo rules with controlled wrapper commands where possible, protect PatchMon credentials, and review any remote root installer before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The guide claims sudo access is minimally restricted, but allowing `docker pull *` permits retrieval of any image, not just approved update targets. That broadens the blast radius from patching to arbitrary container image introduction, which could be abused to stage unreviewed or malicious software on privileged hosts.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script uses `source "$CONFIG_FILE"`, which executes the supplied configuration file as shell code in the current process rather than parsing it as data. If an attacker can modify or supply the config file, they can achieve arbitrary command execution with the privileges of the user running the patcher; in this maintenance context that may be a privileged operator, making the issue more dangerous than a typical local scripting mistake.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README advertises a very broad chat-based capability using phrases like 'Update my servers' and claims it 'just works,' which creates weak activation boundaries for a high-impact skill. In an agent ecosystem, everyday language that overlaps with normal conversation can unintentionally trigger patching actions against infrastructure, especially when combined with automatic host detection and Docker updates.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The usage examples rely on natural-language requests like 'Update my servers' and 'What servers need patching?' without clear activation delimiters or consent boundaries. Because this skill performs privileged remote maintenance, ambiguous conversational examples materially increase the risk of accidental execution, mis-targeting, or social-engineering-driven invocation.

Vague Triggers

Medium
Confidence
97% confidence
Finding
These trigger examples are broad enough that ordinary requests like 'Update my servers' or 'Patch all hosts that need updates' could invoke a skill that performs remote package upgrades and may recreate Docker containers. Because the action is high impact and can cause downtime or change many hosts at once, loose triggering materially increases the chance of unintended execution.

Vague Triggers

Medium
Confidence
98% confidence
Finding
This section explicitly states that natural-language requests like 'Update my servers' will automatically query hosts, patch packages, and by default pull images and recreate containers. For an agent skill controlling remote infrastructure, this is dangerous because an ambiguous chat prompt can lead directly to operational changes and service interruption.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The PatchMon flow documents loading credentials from a local file and transmitting them to an external API, but it provides no guidance on protecting the credential file, validating transport security, or limiting token exposure. This increases the risk of credential theft or accidental disclosure, especially in automated multi-host patching contexts where compromise of PatchMon access broadens operational reach.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs users to fetch a remote installer script and immediately execute it as root via `sudo bash`. This creates a direct privileged remote-code-execution path if the upstream source, transport, repository, or referenced branch is compromised, and the document does not warn users to inspect or pin the script first.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The configuration enables `auto_update: true` for the agent and the guide recommends automated update behavior without clearly warning that software may update itself and alter monitored systems over time. In a patching context this is expected functionality, but unattended self-updates increase supply-chain and stability risk if updates are faulty or the update channel is compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs package upgrades, Docker cache pruning, image pulls, and container recreation on a remote host immediately once invoked, with no interactive confirmation or explicit opt-in safety gate. In an automation context this can cause unintended service disruption, data loss from aggressive prune operations, or patching the wrong host if arguments are mistaken.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal