Is auto-updater safe?

https://clawhub.ai/maximeprades/auto-updater

72
CAUTION

This skill is a markdown-only auto-updater that instructs the agent to schedule a daily cron job running global package updates and skill registry pulls in an isolated session without per-run user approval. While it contains no malicious code, executable payloads, or exfiltration attempts, its core design creates a persistent unsupervised execution channel that could amplify supply chain attacks if the upstream registry or packages are compromised. The skill normalizes autonomous agent execution of privileged operations (global npm installs, script creation) without interactive oversight.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Unsupervised global package installation via cron -35

The skill schedules a daily cron job that runs 'npm update -g clawdbot@latest' and 'clawdhub update --all' in an isolated agent session. Global npm updates can install arbitrary code system-wide. The user does not review or approve each update cycle — it runs autonomously at 4 AM.

HIGH Agent instructed to create and execute shell scripts autonomously -25

agent-guide.md Step 2 directs the agent to write a bash script to ~/.clawdbot/scripts/auto-update.sh with full shell access (set -e, tee, command execution). This script creation is presented as a standard agent action, normalizing file-write + execute patterns.

MEDIUM Cron job bypasses interactive user approval -15

The cron message contains multi-step agent instructions ('1. Check and update Clawdbot... 2. Update all skills... 3. Report back') that execute in an isolated session. This is effectively an autonomous agent prompt that runs without the user being present to approve tool use.

MEDIUM Supply chain attack amplifier -40

By automatically updating all skills from the ClawdHub registry daily, this skill creates a persistent vector for supply chain attacks. If any skill in the registry is compromised, the auto-updater will silently deploy the compromised version without user review.

MEDIUM Shell script written to persistent location -15

The agent guide instructs creating a persistent shell script at ~/.clawdbot/scripts/auto-update.sh that runs with the user's full permissions. While the script content appears benign, the pattern of writing executable scripts to disk and scheduling them creates a persistence mechanism.

LOW References external documentation URLs -5

SKILL.md links to docs.clawd.bot URLs. While these are first-party documentation links (not arbitrary external resources), they could theoretically serve modified content if the documentation site were compromised.

INFO Clean installation with no runtime artifacts 0

The skill installed cleanly with no network activity, no unexpected processes, and no filesystem changes outside its directory. The filesystem events in /tmp/jiti/ are from the clawdhub CLI toolchain itself, not the skill.