auto-updater
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill's primary purpose is to 'Download skill updates from ClawdHub' and 'Install updates with dependency resolution.' Because ClawdHub is not a recognized trusted source, this allows for arbitrary code execution on the host system.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill is designed to retrieve metadata, executables, and dependencies from an external API (ClawdHub) at runtime.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill processes untrusted external content.
- Ingestion points: Fetches 'skill metadata, changelog, and dependencies' from ClawdHub (SKILL.md).
- Boundary markers: None identified; external text is displayed directly to the user/agent in examples (e.g., Example 5).
- Capability inventory: Includes 'Automated Installation', 'Skill hot-reloading', 'Backing up current skill state', and 'Restoring skill files' (SKILL.md).
- Sanitization: Package integrity and signatures are checked, but there is no sanitization of the natural language fields (changelogs, descriptions) which could contain instructions to hijack the agent.
- [DYNAMIC_EXECUTION] (HIGH): The skill performs 'hot-reloading without bot restart,' which involves dynamically loading and executing newly downloaded code into the active memory of the agent process.
- [COMMAND_EXECUTION] (MEDIUM): Installation and rollback procedures likely involve shell commands for file manipulation, dependency resolution (npm/pip), and service management.
Recommendations
- AI detected serious security threats
Audit Metadata