ClawHub

Auto Updater Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed auto-updater, but it creates recurring automation that can update the core agent and all installed skills without per-update review.

Install only if you intentionally want unattended updates to the agent and all installed skills. Prefer a dry-run or notification-only schedule first, disable missed-run catch-up if surprise updates are undesirable, review major skill changes before applying them, and keep a rollback path or backups for the agent and skill directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide directs the agent to run `clawdhub update --all`, which expands behavior beyond updating the core product into modifying all installed skills. That creates an unnecessary supply-chain and scope-expansion risk, because a routine intended for core auto-updates can silently change unrelated extensions with different trust levels and operational impact.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The scheduled cron message instructs unattended updates for both the main application and all skills, broadening the operational authority of the job beyond the stated auto-updater purpose. Because this runs automatically on a timer, any bad update, compromised package, or incompatible skill can be introduced without user review.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill exposes a very broad natural-language trigger phrase for a high-impact action: scheduling automatic updates of the bot and all installed skills. Broad triggers increase the chance of unintended invocation or social-engineering-induced setup, which can lead to unauthorized persistent changes to system behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description explains functionality but does not prominently warn that the skill will create a scheduled job that performs automatic updates to the bot and all skills. For a persistence-creating, system-modifying capability, lack of clear upfront warning weakens informed consent and increases the chance of users enabling recurring privileged actions without understanding the consequences.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document provides end-to-end instructions for unattended execution of system-modifying commands, including package-manager updates, source updates, and scheduled cron automation, but does not include safety gates or warnings. In an agent context, that increases the chance of autonomous changes to software, configuration, and runtime behavior without adequate human review or rollback planning.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill recommends logging detailed update steps to a persistent memory path and sending summaries via email/chat. Update logs and reports can naturally contain package names, versions, file paths, error messages, environment details, and potentially sensitive operational metadata, creating a data leakage channel if stored too broadly or transmitted externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal