Is auto-updater safe?

https://clawhub.ai/auto-updater-skill/auto-updater

74
CAUTION

The auto-updater skill is not itself malicious — it contains no obfuscated code, no exfiltration mechanisms, and no hidden prompt injections. However, its core design creates a significant persistent attack surface: it establishes a daily cron job that autonomously replaces global packages and updates all installed skills in an isolated session without real-time user oversight. This makes it an amplifier for supply chain attacks — if any upstream registry is compromised, this skill ensures the malicious payload is automatically and silently installed.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Autonomous global package replacement via cron -25

The skill instructs the agent to run 'npm update -g clawdbot@latest' on a daily cron schedule in an isolated session. This replaces the entire Clawdbot binary with whatever version is currently published. If the npm registry account is compromised, this becomes an automatic malware delivery mechanism with no user approval gate.

HIGH Unsupervised supply chain update vector -30

The combination of automatic updates for ALL installed skills (clawdhub update --all) running in an isolated session at 4 AM creates a persistent, unsupervised supply chain attack surface. A compromised registry entry for any installed skill would be silently pulled and activated.

MEDIUM Delayed autonomous command execution via cron message -20

The cron --message parameter contains a multi-step instruction set that the agent executes autonomously. While this is the skill's intended design, it effectively creates a scheduled prompt injection — instructions the agent follows without real-time user oversight or approval.

MEDIUM Agent instructed to create and execute shell script -20

The agent-guide.md contains a complete bash script template that the agent is instructed to write to ~/.clawdbot/scripts/auto-update.sh. This script runs with the user's full permissions and includes global package manager operations.

MEDIUM Auto-approval of migrations without user consent -10

The skill instructs use of 'clawdbot doctor --yes' which auto-approves all migrations. Migrations could include destructive operations (config rewrites, schema changes) that the user should review.

LOW Sensitive file reads during runtime initialization -15

Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the install phase. These appear to be from the Clawdbot runtime environment initialization rather than the skill itself, but they demonstrate that the execution environment has access to sensitive credentials.

INFO Normal runtime initialization activity -10

The /tmp/jiti/ cache files and /tmp/openclaw-1000/ directory are standard Clawdbot runtime artifacts from the jiti JIT compiler and gateway lock file. No anomalous clone behavior detected.