ClawHub

sys-updater

Security checks across malware telemetry and agentic risk

Overview

This maintenance skill has a plausible purpose, but it can change system packages and OpenClaw skills in ways that conflict with its own safety documentation.

Install only if you explicitly want unattended package maintenance and automatic OpenClaw skill updates. Use a dedicated account, keep sudoers restricted to the exact documented commands, review or disable the apt install/autoremove and report-time clawhub update paths, and do not treat report_9am or apt_maint.py --dry-run as fully side-effect free.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
skills_updated = []
            skills_with_changes = []
            try:
                update_result = subprocess.run(
                    ["clawhub", "update", "--all", "--no-input"],
                    capture_output=True, text=True, timeout=60
                )
Confidence
97% confidence
Finding
update_result = subprocess.run( ["clawhub", "update", "--all", "--no-input"], capture_output=True, text=True, timeout=60 )

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation contradicts itself: it says there is no package installation/removal through sudo, yet explicitly permits `unattended-upgrade -d`, which performs privileged package installation of security updates. This mismatch can mislead operators about the true privilege and change scope of the skill, weakening review and trust boundaries around an automated root-capable updater.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CLI help claims dry-run means commands won't execute, but the implementation only suppresses sudo-prefixed commands. Non-sudo subprocesses such as pkg_maint.py, clawhub list, clawhub update, and auto-review/retry logic still run and may modify external state, so operators can be misled into performing real changes during a supposed simulation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module documentation says report_9am renders a human report from last run state, but render_report also invokes clawhub update --all --no-input. A nominally read-only reporting action that performs updates can unexpectedly alter installed skills and execute downstream update hooks, creating an opaque and dangerous side effect.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The module advertises a conservative review-before-upgrade workflow, but skills are explicitly exempted and updated immediately during check mode. Because skills are executable agent extensions and should be treated as untrusted code/content, bypassing quarantine and review materially weakens the trust model and can introduce malicious or breaking updates automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented reset sequence deletes the tracking state file and immediately regenerates it without any warning that review history, blocked-package state, or other operator decisions may be lost. In an operational skill, this can cause accidental loss of security workflow state and lead to packages being reprocessed or previously blocked items no longer being tracked as intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill-update logic enumerates installed skills and runs clawhub update on each one automatically, without any user-facing confirmation or approval gate. In the context of agent skills, this is dangerous because it silently pulls and installs changed code or prompts from an external source, expanding the attack surface for supply-chain compromise and unexpected behavior.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Sudoers Setup

sys-updater requires passwordless sudo for specific apt commands.

## Required Commands
Confidence
93% confidence
Finding
sudo

Tool Parameter Abuse

High
Category
Tool Misuse
Content
cat state/apt/tracked.json | jq '.items | to_entries | map(select(.value.blocked)) | .[].key'

# Clear old tracking (reset)
rm state/apt/tracked.json
python3 scripts/apt_maint.py run_6am
```
Confidence
92% confidence
Finding
rm state/apt/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal