auto-updater
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill provides instructions for the agent to create and run a local shell script (auto-update.sh) and to establish a recurring task via the clawdbot cron system; the implementation guide also suggests using 'sudo' for global package updates.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The automated process triggers 'npm update' and 'clawdhub update', which download and execute new code from external repositories without direct user confirmation for each update, representing a significant capability surface.
- [EXTERNAL_DOWNLOADS] (LOW): Software packages are retrieved from standard public registries (npm, pnpm, bun) and the official skill registry, which are generally trusted sources but represent an external dependency chain.
Audit Metadata