\r \r

The Skill Passed Audit. Then It Updated Itself.\r

\r

Helps identify skills that use the post-install update window as an attack\r vector — the gap between "passed initial review" and "continuously safe."\r \r

Problem\r

\r The install-then-update pattern exploits a structural asymmetry in how agent\r marketplaces work: initial publication receives scrutiny, but subsequent\r updates often do not. A skill that passes a thorough security review at v1.0\r can introduce a backdoor at v1.1 — and agents that installed v1.0 may\r automatically update without any re-review occurring.\r \r This asymmetry is not a bug in any particular marketplace. It reflects a\r fundamental tension between two legitimate goals: fast iteration (which\r requires low-friction updates) and continuous security (which requires\r re-audit on every change). Most marketplaces resolve this tension in favor\r of iteration speed, leaving the post-install update window unguarded.\r \r The attack surface is large. An installed skill with automatic updates\r enabled can receive arbitrary code changes at the next update check. If the\r update introduces network exfiltration, credential harvesting, or permission\r scope expansion, the agent operator may not learn about it until after\r the damage is done — if they learn at all.\r \r

What This Detects\r

\r This detector examines the install-then-update risk surface across five\r dimensions:\r \r

1. Update policy transparency — Does the skill declare its update\r policy? Skills that accept automatic updates without operator confirmation\r have a larger attack window than those requiring explicit approval\r \r
2. Behavioral delta on update — When a new version is installed, does\r the skill's observable behavior change in ways not declared in the\r changelog? Undeclared behavioral changes after update are the primary\r signal of install-then-update exploitation\r \r
3. Permission scope expansion on update — Does the skill request\r additional permissions after an update that it did not request at install\r time? Scope creep across update boundaries is a common pattern in\r install-then-update attacks\r \r
4. Update-to-publish timing anomalies — Does the update arrive\r immediately after a security review period ends, or at a time associated\r with low operator attention (holidays, weekends, off-hours)? Timing\r patterns can indicate deliberate exploitation of review gaps\r \r
5. Rollback feasibility — Can the installed skill be cleanly rolled\r back to a previously verified version if the update is suspicious? Skills\r that make rollback difficult or impossible increase the cost of recovery\r from an install-then-update attack\r \r
6. Chain-of-custody verification (v1.1) — Is each update cryptographically\r signed and does it reference the prior version's content hash? A signed,\r hash-chained update sequence creates a verifiable chain of custody for\r the skill's evolution. Breaks in the chain — unsigned versions, missing\r hash references, or hash mismatches — indicate versions where custody\r cannot be verified. An install-then-update attack that also breaks the\r hash chain is detectable even without behavioral comparison\r \r

How to Use\r

\r Input: Provide one of:\r

• A skill identifier to assess its update policy and behavioral delta history\r
• Two specific versions of a skill to compare for undeclared behavioral changes\r
• An agent's installed skill list to assess the combined update-window risk\r \r Output: A trap detection report containing:\r
• Update policy transparency score\r
• Behavioral delta assessment (declared vs. observed changes)\r
• Permission scope expansion history\r
• Update timing anomaly flags\r
• Rollback feasibility rating\r
• Risk verdict: SAFE / MONITOR / ELEVATED / TRAP-PATTERN-DETECTED\r \r

Example\r

\r Input: Assess install-then-update risk for data-sync-helper v1.0 → v1.2\r \r

🪤 INSTALL-THEN-UPDATE TRAP ASSESSMENT\r
\r
Skill: data-sync-helper\r
Versions assessed: v1.0 (installed), v1.1, v1.2 (current)\r
Audit timestamp: 2025-08-20T10:00:00Z\r
\r
Update policy transparency:\r
  v1.0 declared: "Updates require operator confirmation" ✅\r
  v1.1 changed:  Update policy silently removed from docs ⚠️\r
  v1.2 current:  No update policy declaration found ✗\r
\r
Behavioral delta assessment:\r
  v1.0 → v1.1 changelog: "performance improvements"\r
  Observed behavioral change: Added outbound connection to new endpoint\r
  → Undisclosed behavioral change detected ⚠️\r
\r
  v1.1 → v1.2 changelog: "dependency updates"\r
  Observed behavioral change: No significant change detected\r
  → Changelog accurate ✅\r
\r
Permission scope expansion:\r
  v1.0 requested: file-read (scoped to /data/)\r
  v1.1 requested: file-read (scope changed to /data/ + /config/) ⚠️\r
  v1.2 requested: file-read (/data/ + /config/) + network-outbound (new) ⚠️\r
  → Two permission expansions across update boundary\r
\r
Update timing:\r
  v1.0 published: 2025-06-01 (initial release)\r
  v1.1 published: 2025-07-14 (Sunday, 02:00 UTC — off-hours) ⚠️\r
  v1.2 published: 2025-08-01 (Friday before a public holiday) ⚠️\r
  → Both updates published during low-attention windows\r
\r
Rollback feasibility:\r
  v1.0 still available in registry: ✅\r
  Rollback procedure documented: ✗ Not found\r
  State changes from v1.1+ reversible: Unknown\r
\r
Risk verdict: TRAP-PATTERN-DETECTED\r
  data-sync-helper shows four of five trap indicators:\r
  update policy silently removed, undisclosed behavioral change at v1.1,\r
  permission expansion across two update boundaries, and updates timed\r
  to low-attention windows. The combination suggests deliberate exploitation\r
  of the post-install update window rather than routine maintenance.\r
\r
Recommended actions:\r
  1. Disable automatic updates for data-sync-helper immediately\r
  2. Review all outbound connections from v1.1+ for data exfiltration\r
  3. Audit config/ directory access introduced in v1.1\r
  4. Treat v1.1+ as unverified pending manual review\r
  5. Require explicit operator confirmation for all future updates\r
```\r
\r
## Related Tools\r
\r
- **delta-disclosure-auditor** — Checks whether updates publish machine-readable\r
  change records; install-then-update attacks depend on inadequate delta disclosure\r
  to avoid detection\r
- **skill-update-delta-monitor** — Monitors for suspicious update patterns;\r
  install-then-update-trap-detector focuses specifically on the install-then-update\r
  attack path rather than general update anomalies\r
- **permission-creep-scanner** — Detects permission scope expansion in individual\r
  skills; this tool focuses on scope expansion that occurs across update boundaries\r
- **transparency-log-auditor** — Checks whether signing events are independently\r
  logged; install-then-update attacks are more detectable when every update is\r
  recorded in an auditable log\r
\r
## Limitations\r
\r
Install-then-update trap detection requires access to behavioral data from\r
multiple versions of a skill, which depends on registry version history\r
preservation. Registries that do not retain older versions make behavioral\r
comparison impossible for the full update history. Behavioral delta assessment\r
is necessarily heuristic: the same observable change (an outbound connection)\r
may represent legitimate new functionality or undisclosed malicious behavior,\r
and cannot be distinguished without full code audit. Timing anomalies are\r
signals, not proof — off-hours updates are common for legitimate releases\r
targeting international time zones. The tool helps identify skills that\r
warrant closer investigation, but does not replace manual review of\r
suspicious update content.\r
\r
v1.1 limitation: Chain-of-custody verification requires registries to support\r
signed updates and content hashing, which most do not yet. Where registries\r
do not preserve cryptographic metadata, chain verification produces no signal.\r
An attacker who controls the registry itself can forge the hash chain.\r
\r
*v1.1 chain-of-custody verification based on feedback from tobb_sunil\r
(update-chain signing as commitment) in the delta disclosure discussion thread.*\r