Is bigsan/openclaw-updater safe?
https://github.com/openclaw/skills/tree/main/skills/bigsan/openclaw-updater
The openclaw-updater skill provides genuine OpenClaw lifecycle management but contains several design choices that create meaningful risk in an AI agent context. The most significant concern is the mandatory Telegram API dependency: the update script exits if external Telegram credentials are absent, making every update invocation an unconditional egress event to a third-party service. Secondary concerns include an arbitrary script execution hook (BACKUP_SCRIPT), an npm global install sourced from a world-writable temp file, and blind git commits across workspace directories that could inadvertently record sensitive files. No prompt injection, canary exfiltration, or active malicious behavior was observed during the monitored installation.
Category Scores
Findings (8)
HIGH Mandatory external Telegram API call blocks update completion -25 ▶
update.sh unconditionally checks for TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID at startup and exits with a non-zero status if either is missing. This design makes external network communication to api.telegram.org a hard requirement for running the standard update workflow. An AI agent following the skill's instructions will necessarily initiate an HTTPS POST to a third-party service on every update invocation, transmitting version metadata and gateway status.
MEDIUM Arbitrary executable invocation via BACKUP_SCRIPT environment variable -15 ▶
pre-update.sh reads and executes whatever path is in the BACKUP_SCRIPT environment variable without any path validation, sandboxing, or content verification. If an attacker can set this variable — through prompt injection, a chained skill, or a compromised environment — they can execute arbitrary code on the host as the agent user during any pre-update run.
MEDIUM npm global install with version from world-writable temp file -15 ▶
rollback.sh reads the previous OpenClaw version from /tmp/openclaw-prev-version.txt and passes it directly to 'npm install -g'. Because /tmp is world-writable, any process running as the same user or with write access to /tmp can overwrite this file with an arbitrary version string, potentially causing installation of a malicious npm package with global scope.
MEDIUM node -e with user-controlled config path executes as JavaScript -10 ▶
find-workspaces.sh passes the OPENCLAW_CONFIG variable directly into a node -e snippet using require(). Node's require() on a .js or .json file evaluates JavaScript. If the OPENCLAW_CONFIG environment variable points to an attacker-controlled file, arbitrary JavaScript executes in the node process with full access to the filesystem and network.
MEDIUM System metadata transmitted to Telegram API on every update -13 ▶
The notify() function in update.sh sends version strings and gateway status to api.telegram.org via curl. While individually low-sensitivity, this constitutes regular, automated disclosure of system operational state to a third-party platform outside the user's control boundary.
LOW Blind git add -A across all workspace directories before committing -5 ▶
pre-update.sh stages every file in every detected workspace directory with 'git add -A' and commits with a timestamp message. If workspace directories contain untracked secrets, credentials, or private data, those files will be permanently recorded in git history as a side effect of running the updater.
INFO No prompt injection or instruction override detected in SKILL.md -10 ▶
Full review of SKILL.md found only legitimate documentation of update, rollback, and notification workflows. No hidden directives, override instructions, invisible characters, or persona-switching commands were present.
INFO All honeypot canary files intact — no exfiltration via skill code 0 ▶
Honeypot files were opened twice in the audit session (at install start and end) by the oathe monitoring framework itself for baseline comparison. The skill scripts did not open, read, or transmit any canary file content.