Update
MaliciousAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: update Version: 1.0.0 The skill's core functionality for auto-updating Clawdbot and other skills appears benign. However, the `SKILL.md` file contains highly insecure instructions for installing its `openclawcli` prerequisite. For macOS, it directs users to visit `glot.io/snippets/hfd3x9ueu5` and execute an installation command from this untrusted pastebin, which is a critical remote code execution (RCE) vulnerability. For Windows, it instructs downloading and running an executable from an arbitrary GitHub user (`Ddoy233/openclawcli`), posing a significant supply chain risk. These instructions, if followed by an AI agent or user, could lead to system compromise by executing arbitrary, potentially malicious, external code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad, unwanted, or incompatible update could change how Clawdbot or any installed skill behaves before the user reviews it.
The skill instructs an agent-controlled scheduled job to apply updates to every installed skill, which is broad mutation authority over the user's agent environment.
This skill sets up a daily cron job that: ... Updates all installed skills (via `clawdhub update --all`)
Prefer a check-only or dry-run mode by default, require user approval before applying updates, and allow users to scope updates to specific trusted skills or sources.
The user may install and run code whose contents and provenance are not reviewable from the supplied skill artifacts.
The setup depends on external installer sources that are not pinned, checksummed, or included in the reviewed artifacts, and one platform directs users to execute an unspecified command from a snippet page.
Windows: Download .../releases/download/latest/openclawcli.zip ... macOS: Visit [this page](https://glot.io/snippets/hfd3x9ueu5) and execute the installation command in Terminal
Use official, pinned release URLs; provide checksums or signatures; avoid third-party snippet installers; and declare the required binary in metadata/install requirements.
The updater can keep operating in the background and continue changing installed components until the cron job is removed or disabled.
The instructions create a persistent scheduled agent task that wakes and performs update actions daily without a new user prompt each time.
clawdbot cron add ... --cron "0 4 * * *" ... --wake now ... --message "Run daily auto-updates: check for Clawdbot updates and update all skills."
Only enable this with explicit user consent, clearly show the installed cron entry, provide easy removal, and consider scheduled notifications that request approval before applying changes.