Back to skill

Security audit

Muguozi1 Openclaw Auto Updater

Security checks across malware telemetry and agentic risk

Overview

This skill is an advertised auto-updater, but it can repeatedly change the core agent and every installed skill without per-update review.

Install only if you intentionally want unattended daily updates and trust both the publisher and the upstream package and skill registries. Prefer using dry-run or notification-only mode first, restrict updates to trusted skills where possible, keep backups, and confirm you can remove the cron job with `clawdbot cron remove "Daily Auto-Update"`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to use shell-capable operations to install updates, modify software, and register a cron job, yet it declares no permissions. That creates a transparency and policy gap: users or enforcement systems may not realize the skill can execute privileged system changes on a recurring basis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes unattended daily auto-updates but does not prominently warn that it will repeatedly modify the Clawdbot installation and installed skill files. This can lead users to enable persistent self-modifying behavior without understanding the supply-chain, stability, and operational risks of automatic updates.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly sets up unattended daily updates that modify the bot and installed skills, but it does not require an explicit user acknowledgement of the risks of automatic system changes. This is dangerous because it enables silent supply-chain or compatibility changes to be pulled and executed on a schedule, potentially breaking the environment or introducing malicious updates without timely review.

Self-Modification

High
Category
Rogue Agent
Content
# Capture new version
CLAWDBOT_VERSION_AFTER=$(clawdbot --version 2>/dev/null || echo "unknown")

# Update skills
log "Updating skills via ClawdHub..."
SKILL_OUTPUT=$(clawdhub update --all 2>&1) || true
echo "$SKILL_OUTPUT" >> "$LOG_FILE"
Confidence
97% confidence
Finding
Update skill

VirusTotal

40/40 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.