ClawHub

OpenClaw Self-Update (Zero Downtime)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenClaw updater, but it needs review because it can change installed code and restart services while its activation and confirmation controls are too loose.

Install only if you deliberately want an agent to update OpenClaw itself. Before any run, require an explicit request naming OpenClaw, review the target version and release notes, confirm the detected npm and systemd paths, and be prepared for a service restart or rollback. Do not let this skill act on generic update requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document gives conflicting safety behavior for directory mismatches: one section says a mismatch must abort, while another says the skill may auto-sync code when directories differ. In a self-update skill that modifies installed code and service configuration, contradictory control flow can cause unsafe execution in an unsupported layout, leading to overwriting the wrong path or breaking rollback assumptions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases include broad expressions like '帮我更新' and '检查更新', which can match ordinary conversation not clearly requesting a risky self-update operation. Because this skill performs package installation, service restart, and possible rollback, accidental activation could lead to unintended self-modification of the running system.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation rule allows broad contextual inference ('any conversation involving OpenClaw self-upgrade') without clear exclusion criteria. That ambiguity is dangerous here because the skill can change global npm state and restart a systemd service, so inferred intent may be wrong and cause unintended operational impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal