Openclaw Autoupdate

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw updater, but it performs high-impact system changes more broadly and silently than the documentation clearly explains.

Install or run this only if you trust the publisher and the OpenClaw GitHub and npm release channels. Before running it, confirm the target version, make sure you are comfortable replacing the installed OpenClaw app and globally updating the CLI, and have a rollback path if the update fails.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill invokes shell-based behavior but does not declare corresponding permissions, which weakens transparency and policy enforcement. In an auto-update skill, hidden shell capability is meaningful because it can execute system-level changes, network operations, and service restarts without explicit user awareness.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documentation understates the actual behavior: replacing an application bundle, performing global npm installation, contacting external services, restarting a gateway, and writing persistent logs are all high-impact operations. This mismatch is dangerous because users and reviewers may approve the skill under false assumptions, enabling broad system modification and supply-chain exposure through remote downloads and package updates.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script silently deletes an existing application bundle from /Applications and performs a global npm package installation without any confirmation, rollback, integrity verification, or safety checks. In an auto-update skill, this is risky because a failed download, malicious upstream package, or partial install can break the local installation or replace trusted software unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal