v3.0.2

Linux Patcher

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This skill is purpose-aligned for server patching, but it can make broad privileged changes to multiple servers and contains shell patterns that could execute generated or remote-controlled data.

GuidanceInstall only if you are comfortable giving the skill controlled SSH and sudo authority over the intended servers. Start with dry-run mode, restrict the host list and sudo permissions, review the shell scripts before use, and avoid automatic broad patching until the eval/source handling and PatchMon-generated config parsing are made safer.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/patch-host-full.sh

ssh "$HOST" "sudo $UPDATE_CMD && sudo $UPGRADE_CMD && sudo $AUTOREMOVE_CMD" ... ssh "$HOST" "sudo docker system prune -af" ... ssh "$HOST" "cd $DOCKER_PATH && sudo docker compose up -d"

The script performs privileged package upgrades, Docker cache/image pruning, and container recreation on a remote host. These are purpose-aligned, but they are high-impact operations that can restart or disrupt services.

User impactRunning the default update workflow can change system packages and Docker services, potentially causing downtime or breaking applications if updates are incompatible.

RecommendationUse dry-run first, patch a small host set during a maintenance window, keep backups or rollback plans, and require explicit confirmation before applying updates broadly.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/patch-host-only.sh

eval "$("$SCRIPT_DIR/detect-os.sh" "$HOST")"

The host update scripts evaluate shell text produced by another script. That detection script reads OS information over SSH, so malformed or hostile remote data could be turned into local shell execution.

User impactA compromised or malicious target host could potentially influence commands executed on the OpenClaw/control machine during OS detection.

RecommendationAvoid eval for OS detection results; emit structured data, strictly whitelist distribution values, and assign variables without evaluating shell code.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/patch-auto.sh

TEMP_CONFIG=$(mktemp) ... "$SCRIPT_DIR/patchmon-query.sh" --output-config "$TEMP_CONFIG" ... source "$TEMP_CONFIG"

Automatic mode sources a temporary shell config generated from PatchMon query output. If generated host data is not safely escaped, sourcing it can execute arbitrary shell content locally.

User impactBad or manipulated PatchMon data could become code executed on the control machine before patching begins.

RecommendationDo not source generated files from API data; parse JSON or a non-executable format, validate hostnames/users/paths, and escape all values if a shell config format is unavoidable.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusNote

references/patchmon-setup.md

curl -sSL https://raw.githubusercontent.com/PatchMon/PatchMon/main/agent/install.sh | sudo bash

The PatchMon setup guide recommends piping a remote script directly to sudo bash. This is user-directed and related to the skill's purpose, but it depends on remote code provenance at install time.

User impactIf the remote installer or its delivery path is compromised, it could run privileged code on monitored hosts.

RecommendationDownload and inspect installers before running them, pin versions or commits where possible, verify checksums/signatures, and avoid unpinned 'latest' components in production.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SETUP.md

This skill requires passwordless sudo access ... SSH key authentication ... PatchMon credentials

The skill requires privileged server access and credentials. This is expected for patch automation and is disclosed, but it is sensitive authority that users should review carefully.

User impactAnyone or anything that can use the configured SSH key and sudo rules may be able to modify packages and Docker workloads on target servers.

RecommendationUse a dedicated patching user and SSH key, restrict sudoers entries to the minimum commands, protect credential files with 0600 permissions, and rotate credentials regularly.