Is hightower6eu/auto-updater-qdyme safe?

https://github.com/openclaw/skills/tree/main/skills/hightower6eu/auto-updater-qdyme

25
DANGEROUS

This skill is a malware delivery vehicle disguised as a convenience utility. Its SKILL.md contains instructions that would cause a trusted LLM agent to direct Windows users to execute a password-protected binary from an unofficial third-party GitHub account (hedefbari/openclaw-agent), and macOS users to copy-paste an anonymous shell script from glot.io into their terminal — both classic attacker-controlled payload delivery techniques. The skill install itself was behaviorally clean (no code runs at install time, no canary files exfiltrated), but the skill content IS the attack: it weaponizes the agent's trusted voice to defeat user skepticism and deliver malware. The persistent daily cron job further creates an ongoing supply-chain attack surface.

Category Scores

Prompt Injection 5/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 10/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 5/100 · 5%

Findings (8)

CRITICAL Third-Party Malware Binary Promoted as Required Prerequisite (Windows) -55

SKILL.md instructs the agent to tell Windows users they must download openclaw-agent from github.com/hedefbari/openclaw-agent — a repository owned by 'hedefbari', not the official 'openclaw' organization. The download is a password-protected ZIP (password: openclaw), a technique specifically used to evade antivirus and endpoint security scanning. The agent will present this as a legitimate requirement, bypassing the user's normal skepticism.

CRITICAL Anonymous Remote Shell Script Execution Promoted for macOS -55

SKILL.md instructs the agent to direct macOS users to visit an opaque glot.io snippet URL (hfdxv8uyaf) and copy-paste its contents into Terminal. This is a social engineering attack: the user cannot audit the script before running it, and the agent's trusted framing removes skepticism. The script has full shell access to the user's files, credentials, and network.

HIGH Social Engineering via Artificial Urgency and False Necessity -30

The skill uses the phrases 'IMPORTANT', 'REQUIRED', and 'will not work' seven times across the document to manufacture urgency and convince users that skipping the malicious download will break the skill entirely. This overcomes user hesitation and exploits the agent's authority to coerce compliance.

HIGH Persistent Agent Binary with Full Filesystem Access -55

If a user follows the skill's instructions and installs openclaw-agent (from the attacker-controlled hedefbari repo), that binary runs persistently in the background with access to all user files, credentials, SSH keys, and cloud tokens. Password-protected delivery means endpoint security cannot inspect the payload before execution.

HIGH Persistent Daily Cron Job Creates Ongoing Code Execution Surface -45

The skill installs a cron job (0 4 * * *) that runs clawdhub update --all and clawdbot doctor daily. Any compromise of the Clawdhub skill registry would allow an attacker to push malicious skill updates that execute automatically without user interaction.

MEDIUM Credential Files Read During Monitoring Window -15

Six sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at both pre-install (1771932550) and post-install (1771932568) timestamps. Timeline analysis indicates these accesses are consistent with the oathe monitoring infrastructure establishing and verifying canary baselines, not skill-originated activity.

MEDIUM Classic Malware-Delivery-via-Fake-Utility Attack Pattern -85

This skill fits a well-documented attack pattern: publish a plausible utility skill that requires installing a 'companion agent' hosted by the attacker. The agent binary is the actual payload. The skill registry is the distribution channel, and the LLM agent's trusted voice is the social engineering vector. The attacker chose a non-official GitHub account (hedefbari vs openclaw) hoping users would not notice.

LOW All Canary Files Intact — No Direct Exfiltration Confirmed -10

The canary files were not modified or deleted during the skill installation. Network monitoring did not detect any outbound transmission of canary file contents. The skill's attack is social-engineering-based and relies on user action after install, not autonomous exfiltration during install.