The Skill Passed Audit. Then It Updated Itself.

> Helps identify skills that use the post-install update window as an attack

> vector — the gap between "passed initial review" and "continuously safe."

Problem

The install-then-update pattern exploits a structural asymmetry in how agent

marketplaces work: initial publication receives scrutiny, but subsequent

updates often do not. A skill that passes a thorough security review at v1.0

can introduce a backdoor at v1.1 — and agents that installed v1.0 may

automatically update without any re-review occurring.

This asymmetry is not a bug in any particular marketplace. It reflects a

fundamental tension between two legitimate goals: fast iteration (which

requires low-friction updates) and continuous security (which requires

re-audit on every change). Most marketplaces resolve this tension in favor

of iteration speed, leaving the post-install update window unguarded.

The attack surface is large. An installed skill with automatic updates

enabled can receive arbitrary code changes at the next update check. If the

update introduces network exfiltration, credential harvesting, or permission

scope expansion, the agent operator may not learn about it until after

the damage is done — if they learn at all.

What This Detects

This detector examines the install-then-update risk surface across five

dimensions:

1. Update policy transparency — Does the skill declare its update

policy? Skills that accept automatic updates without operator confirmation

have a larger attack window than those requiring explicit approval

1. Behavioral delta on update — When a new version is installed, does

the skill's observable behavior change in ways not declared in the

changelog? Undeclared behavioral changes after update are the primary

signal of install-then-update exploitation

1. Permission scope expansion on update — Does the skill request

additional permissions after an update that it did not request at install

time? Scope creep across update boundaries is a common pattern in

install-then-update attacks

1. Update-to-publish timing anomalies — Does the update arrive

immediately after a security review period ends, or at a time associated

with low operator attention (holidays, weekends, off-hours)? Timing

patterns can indicate deliberate exploitation of review gaps

1. Rollback feasibility — Can the installed skill be cleanly rolled

back to a previously verified version if the update is suspicious? Skills

that make rollback difficult or impossible increase the cost of recovery

from an install-then-update attack

1. Chain-of-custody verification (v1.1) — Is each update cryptographically

signed and does it reference the prior version's content hash? A signed,

hash-chained update sequence creates a verifiable chain of custody for

the skill's evolution. Breaks in the chain — unsigned versions, missing

hash references, or hash mismatches — indicate versions where custody

cannot be verified. An install-then-update attack that also breaks the

hash chain is detectable even without behavioral comparison

How to Use

Input: Provide one of:

• A skill identifier to assess its update policy and behavioral delta history
• Two specific versions of a skill to compare for undeclared behavioral changes
• An agent's installed skill list to assess the combined update-window risk

Output: A trap detection report containing:

• Update policy transparency score
• Behavioral delta assessment (declared vs. observed changes)
• Permission scope expansion history
• Update timing anomaly flags
• Rollback feasibility rating
• Risk verdict: SAFE / MONITOR / ELEVATED / TRAP-PATTERN-DETECTED

Example

Input: Assess install-then-update risk for data-sync-helper v1.0 → v1.2

🪤 INSTALL-THEN-UPDATE TRAP ASSESSMENT

Skill: data-sync-helper
Versions assessed: v1.0 (installed), v1.1, v1.2 (current)
Audit timestamp: 2025-08-20T10:00:00Z

Update policy transparency:
  v1.0 declared: "Updates require operator confirmation" ✅
  v1.1 changed:  Update policy silently removed from docs ⚠️
  v1.2 current:  No update policy declaration found ✗

Behavioral delta assessment:
  v1.0 → v1.1 changelog: "performance improvements"
  Observed behavioral change: Added outbound connection to new endpoint
  → Undisclosed behavioral change detected ⚠️

  v1.1 → v1.2 changelog: "dependency updates"
  Observed behavioral change: No significant change detected
  → Changelog accurate ✅

Permission scope expansion:
  v1.0 requested: file-read (scoped to /data/)
  v1.1 requested: file-read (scope changed to /data/ + /config/) ⚠️
  v1.2 requested: file-read (/data/ + /config/) + network-outbound (new) ⚠️
  → Two permission expansions across update boundary

Update timing:
  v1.0 published: 2025-06-01 (initial release)
  v1.1 published: 2025-07-14 (Sunday, 02:00 UTC — off-hours) ⚠️
  v1.2 published: 2025-08-01 (Friday before a public holiday) ⚠️
  → Both updates published during low-attention windows

Rollback feasibility:
  v1.0 still available in registry: ✅
  Rollback procedure documented: ✗ Not found
  State changes from v1.1+ reversible: Unknown

Risk verdict: TRAP-PATTERN-DETECTED
  data-sync-helper shows four of five trap indicators:
  update policy silently removed, undisclosed behavioral change at v1.1,
  permission expansion across two update boundaries, and updates timed
  to low-attention windows. The combination suggests deliberate exploitation
  of the post-install update window rather than routine maintenance.

Recommended actions:
  1. Disable automatic updates for data-sync-helper immediately
  2. Review all outbound connections from v1.1+ for data exfiltration
  3. Audit config/ directory access introduced in v1.1
  4. Treat v1.1+ as unverified pending manual review
  5. Require explicit operator confirmation for all future updates

Related Tools

• delta-disclosure-auditor — Checks whether updates publish machine-readable

change records; install-then-update attacks depend on inadequate delta disclosure

to avoid detection

• skill-update-delta-monitor — Monitors for suspicious update patterns;

install-then-update-trap-detector focuses specifically on the install-then-update

attack path rather than general update anomalies

• permission-creep-scanner — Detects permission scope expansion in individual

skills; this tool focuses on scope expansion that occurs across update boundaries

• transparency-log-auditor — Checks whether signing events are independently

logged; install-then-update attacks are more detectable when every update is

recorded in an auditable log

Limitations

Install-then-update trap detection requires access to behavioral data from

multiple versions of a skill, which depends on registry version history

preservation. Registries that do not retain older versions make behavioral

comparison impossible for the full update history. Behavioral delta assessment

is necessarily heuristic: the same observable change (an outbound connection)

may represent legitimate new functionality or undisclosed malicious behavior,

and cannot be distinguished without full code audit. Timing anomalies are

signals, not proof — off-hours updates are common for legitimate releases

targeting international time zones. The tool helps identify skills that

warrant closer investigation, but does not replace manual review of

suspicious update content.

v1.1 limitation: Chain-of-custody verification requires registries to support

signed updates and content hashing, which most do not yet. Where registries

do not preserve cryptographic metadata, chain verification produces no signal.

An attacker who controls the registry itself can forge the hash chain.

*v1.1 chain-of-custody verification based on feedback from tobb_sunil

(update-chain signing as commitment) in the delta disclosure discussion thread.*