# Send Install Then Update Trap Detector to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "install-then-update-trap-detector", "name": "Install Then Update Trap Detector", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/andyxinweiminicloud/install-then-update-trap-detector", "canonicalUrl": "https://clawhub.ai/andyxinweiminicloud/install-then-update-trap-detector", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/install-then-update-trap-detector", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=install-then-update-trap-detector", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/install-then-update-trap-detector" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/install-then-update-trap-detector", "downloadUrl": "https://openagent3.xyz/downloads/install-then-update-trap-detector", "agentUrl": "https://openagent3.xyz/skills/install-then-update-trap-detector/agent", "manifestUrl": "https://openagent3.xyz/skills/install-then-update-trap-detector/agent.json", "briefUrl": "https://openagent3.xyz/skills/install-then-update-trap-detector/agent.md" } } ``` ## Documentation ### The Skill Passed Audit. Then It Updated Itself. Helps identify skills that use the post-install update window as an attack vector — the gap between "passed initial review" and "continuously safe." ### Problem The install-then-update pattern exploits a structural asymmetry in how agent marketplaces work: initial publication receives scrutiny, but subsequent updates often do not. A skill that passes a thorough security review at v1.0 can introduce a backdoor at v1.1 — and agents that installed v1.0 may automatically update without any re-review occurring. This asymmetry is not a bug in any particular marketplace. It reflects a fundamental tension between two legitimate goals: fast iteration (which requires low-friction updates) and continuous security (which requires re-audit on every change). Most marketplaces resolve this tension in favor of iteration speed, leaving the post-install update window unguarded. The attack surface is large. An installed skill with automatic updates enabled can receive arbitrary code changes at the next update check. If the update introduces network exfiltration, credential harvesting, or permission scope expansion, the agent operator may not learn about it until after the damage is done — if they learn at all. ### What This Detects This detector examines the install-then-update risk surface across five dimensions: Update policy transparency — Does the skill declare its update policy? Skills that accept automatic updates without operator confirmation have a larger attack window than those requiring explicit approval Behavioral delta on update — When a new version is installed, does the skill's observable behavior change in ways not declared in the changelog? Undeclared behavioral changes after update are the primary signal of install-then-update exploitation Permission scope expansion on update — Does the skill request additional permissions after an update that it did not request at install time? Scope creep across update boundaries is a common pattern in install-then-update attacks Update-to-publish timing anomalies — Does the update arrive immediately after a security review period ends, or at a time associated with low operator attention (holidays, weekends, off-hours)? Timing patterns can indicate deliberate exploitation of review gaps Rollback feasibility — Can the installed skill be cleanly rolled back to a previously verified version if the update is suspicious? Skills that make rollback difficult or impossible increase the cost of recovery from an install-then-update attack Chain-of-custody verification (v1.1) — Is each update cryptographically signed and does it reference the prior version's content hash? A signed, hash-chained update sequence creates a verifiable chain of custody for the skill's evolution. Breaks in the chain — unsigned versions, missing hash references, or hash mismatches — indicate versions where custody cannot be verified. An install-then-update attack that also breaks the hash chain is detectable even without behavioral comparison ### How to Use Input: Provide one of: A skill identifier to assess its update policy and behavioral delta history Two specific versions of a skill to compare for undeclared behavioral changes An agent's installed skill list to assess the combined update-window risk Output: A trap detection report containing: Update policy transparency score Behavioral delta assessment (declared vs. observed changes) Permission scope expansion history Update timing anomaly flags Rollback feasibility rating Risk verdict: SAFE / MONITOR / ELEVATED / TRAP-PATTERN-DETECTED ### Example Input: Assess install-then-update risk for data-sync-helper v1.0 → v1.2 🪤 INSTALL-THEN-UPDATE TRAP ASSESSMENT Skill: data-sync-helper Versions assessed: v1.0 (installed), v1.1, v1.2 (current) Audit timestamp: 2025-08-20T10:00:00Z Update policy transparency: v1.0 declared: "Updates require operator confirmation" ✅ v1.1 changed: Update policy silently removed from docs ⚠️ v1.2 current: No update policy declaration found ✗ Behavioral delta assessment: v1.0 → v1.1 changelog: "performance improvements" Observed behavioral change: Added outbound connection to new endpoint → Undisclosed behavioral change detected ⚠️ v1.1 → v1.2 changelog: "dependency updates" Observed behavioral change: No significant change detected → Changelog accurate ✅ Permission scope expansion: v1.0 requested: file-read (scoped to /data/) v1.1 requested: file-read (scope changed to /data/ + /config/) ⚠️ v1.2 requested: file-read (/data/ + /config/) + network-outbound (new) ⚠️ → Two permission expansions across update boundary Update timing: v1.0 published: 2025-06-01 (initial release) v1.1 published: 2025-07-14 (Sunday, 02:00 UTC — off-hours) ⚠️ v1.2 published: 2025-08-01 (Friday before a public holiday) ⚠️ → Both updates published during low-attention windows Rollback feasibility: v1.0 still available in registry: ✅ Rollback procedure documented: ✗ Not found State changes from v1.1+ reversible: Unknown Risk verdict: TRAP-PATTERN-DETECTED data-sync-helper shows four of five trap indicators: update policy silently removed, undisclosed behavioral change at v1.1, permission expansion across two update boundaries, and updates timed to low-attention windows. The combination suggests deliberate exploitation of the post-install update window rather than routine maintenance. Recommended actions: 1. Disable automatic updates for data-sync-helper immediately 2. Review all outbound connections from v1.1+ for data exfiltration 3. Audit config/ directory access introduced in v1.1 4. Treat v1.1+ as unverified pending manual review 5. Require explicit operator confirmation for all future updates ### Related Tools delta-disclosure-auditor — Checks whether updates publish machine-readable change records; install-then-update attacks depend on inadequate delta disclosure to avoid detection skill-update-delta-monitor — Monitors for suspicious update patterns; install-then-update-trap-detector focuses specifically on the install-then-update attack path rather than general update anomalies permission-creep-scanner — Detects permission scope expansion in individual skills; this tool focuses on scope expansion that occurs across update boundaries transparency-log-auditor — Checks whether signing events are independently logged; install-then-update attacks are more detectable when every update is recorded in an auditable log ### Limitations Install-then-update trap detection requires access to behavioral data from multiple versions of a skill, which depends on registry version history preservation. Registries that do not retain older versions make behavioral comparison impossible for the full update history. Behavioral delta assessment is necessarily heuristic: the same observable change (an outbound connection) may represent legitimate new functionality or undisclosed malicious behavior, and cannot be distinguished without full code audit. Timing anomalies are signals, not proof — off-hours updates are common for legitimate releases targeting international time zones. The tool helps identify skills that warrant closer investigation, but does not replace manual review of suspicious update content. v1.1 limitation: Chain-of-custody verification requires registries to support signed updates and content hashing, which most do not yet. Where registries do not preserve cryptographic metadata, chain verification produces no signal. An attacker who controls the registry itself can forge the hash chain. v1.1 chain-of-custody verification based on feedback from tobb_sunil (update-chain signing as commitment) in the delta disclosure discussion thread. ## Trust - Source: tencent - Verification: Indexed source record - Publisher: andyxinweiminicloud - Version: 1.1.0 ## Source health - Status: healthy - Source download looks usable. - Yavira can redirect you to the upstream package for this source. - Health scope: source - Reason: direct_download_ok - Checked at: 2026-04-23T16:43:11.935Z - Expires at: 2026-04-30T16:43:11.935Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/install-then-update-trap-detector) - [Send to Agent page](https://openagent3.xyz/skills/install-then-update-trap-detector/agent) - [JSON manifest](https://openagent3.xyz/skills/install-then-update-trap-detector/agent.json) - [Markdown brief](https://openagent3.xyz/skills/install-then-update-trap-detector/agent.md) - [Download page](https://openagent3.xyz/downloads/install-then-update-trap-detector)