Back to skill

Security audit

Upgrade Guardian

Security checks across malware telemetry and agentic risk

Overview

Upgrade Guardian is a transparent upgrade-audit checklist; review its manual cleanup and monitoring commands before running them.

Reasonable to install for OpenClaw upgrade planning. Before use, confirm the target workspace/deployment, approve any config changes or production-impacting tests, preview backup deletion candidates, and keep generated reports free of secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to save reports into workspace-relative paths, which can cause file creation or modification as part of normal execution. While the paths are constrained to the workspace and the content is operationally relevant, the skill does not clearly warn the operator that running it will persist artifacts, so it creates an unexpected write side effect that could overwrite existing files or leave sensitive upgrade details on disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist includes irreversible deletion commands (`xargs rm -f` and `find ... -delete`) for backup cleanup without an explicit warning, confirmation step, or safer preview mode. In an operational runbook, users may copy-paste these commands directly, and a path mistake, glob expansion issue, or unexpected file layout could permanently remove backups needed for recovery.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The document instructs users to create a script in the home directory, mark it executable, and launch it with `nohup` in the background, but it does not clearly warn about unattended execution, resource consumption, or persistence after the user disconnects. This can lead to unexpected long-running processes, stale monitoring jobs, and log growth on production hosts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.