install-then-update-trap-detector

# The Skill Passed Audit. Then It Updated Itself.

> Helps identify skills that use the post-install update window as an attack
> vector — the gap between "passed initial review" and "continuously safe."

## Problem

The install-then-update pattern exploits a structural asymmetry in how agent
marketplaces work: initial publication receives scrutiny, but subsequent
updates often do not. A skill that passes a thorough security review at v1.0
can introduce a backdoor at v1.1 — and agents that installed v1.0 may
automatically update without any re-review occurring.

This asymmetry is not a bug in any particular marketplace. It reflects a
fundamental tension between two legitimate goals: fast iteration (which
requires low-friction updates) and continuous security (which requires
re-audit on every change). Most marketplaces resolve this tension in favor
of iteration speed, leaving the post-install update window unguarded.

The attack surface is large. An installed skill with automatic updates
enabled can receive arbitrary code changes at the next update check. If the
update introduces network exfiltration, credential harvesting, or permission
scope expansion, the agent operator may not learn about it until after
the damage is done — if they learn at all.

## What This Detects

This detector examines the install-then-update risk surface across five
dimensions:

1. **Update policy transparency** — Does the skill declare its update
   policy? Skills that accept automatic updates without operator confirmation
   have a larger attack window than those requiring explicit approval

2. **Behavioral delta on update** — When a new version is installed, does
   the skill's observable behavior change in ways not declared in the
   changelog? Undeclared behavioral changes after update are the primary
   signal of install-then-update exploitation

3. **Permission scope expansion on update** — Does the skill request
   additional permissions after an update that it did not request at install
   time? Scope creep across update boundaries is a common pattern in
   install-then-update attacks

4. **Update-to-publish timing anomalies** — Does the update arrive
   immediately after a security review period ends, or at a time associated
   with low operator attention (holidays, weekends, off-hours)? Timing
   patterns can indicate deliberate exploitation of review gaps

5. **Rollback feasibility** — Can the installed skill be cleanly rolled
   back to a previously verified version if the update is suspicious? Skills
   that make rollback difficult or impossible increase the cost of recovery
   from an install-then-update attack

6. **Chain-of-custody verification** (v1.1) — Is each update cryptographically
   signed and does it reference the prior version's content hash? A signed,
   hash-chained update sequence creates a verifiable chain of custody for
   the skill's evolution. Breaks in the chain — unsigned versions, missing
   hash references, or hash mismatches — indicate versions where custody
   cannot be verified. An install-then-update attack that also breaks the
   hash chain is detectable even without behavioral comparison

## How to Use

**Input**: Provide one of:
- A skill identifier to assess its update policy and behavioral delta history
- Two specific versions of a skill to compare for undeclared behavioral changes
- An agent's installed skill list to assess the combined update-window risk

**Output**: A trap detection report containing:
- Update policy transparency score
- Behavioral delta assessment (declared vs. observed changes)
- Permission scope expansion history
- Update timing anomaly flags
- Rollback feasibility rating
- Risk verdict: SAFE / MONITOR / ELEVATED / TRAP-PATTERN-DETECTED

## Example

**Input**: Assess install-then-update risk for `data-sync-helper` v1.0 → v1.2

```
🪤 INSTALL-THEN-UPDATE TRAP ASSESSMENT

Skill: data-sync-helper
Versions assessed: v1.0 (installed), v1.1, v1.2 (current)
Audit timestamp: 2025-08-20T10:00:00Z

Update policy transparency:
  v1.0 declared: "Updates require operator confirmation" ✅
  v1.1 changed:  Update policy silently removed from docs ⚠️
  v1.2 current:  No update policy declaration found ✗

Behavioral delta assessment:
  v1.0 → v1.1 changelog: "performance improvements"
  Observed behavioral change: Added outbound connection to new endpoint
  → Undisclosed behavioral change detected ⚠️

  v1.1 → v1.2 changelog: "dependency updates"
  Observed behavioral change: No significant change detected
  → Changelog accurate ✅

Permission scope expansion:
  v1.0 requested: file-read (scoped to /data/)
  v1.1 requested: file-read (scope changed to /data/ + /config/) ⚠️
  v1.2 requested: file-read (/data/ + /config/) + network-outbound (new) ⚠️
  → Two permission expansions across update boundary

Update timing:
  v1.0 published: 2025-06-01 (initial release)
  v1.1 published: 2025-07-14 (Sunday, 02:00 UTC — off-hours) ⚠️
  v1.2 published: 2025-08-01 (Friday before a public holiday) ⚠️
  → Both updates published during low-attention windows

Rollback feasibility:
  v1.0 still available in registry: ✅
  Rollback procedure documented: ✗ Not found
  State changes from v1.1+ reversible: Unknown

Risk verdict: TRAP-PATTERN-DETECTED
  data-sync-helper shows four of five trap indicators:
  update policy silently removed, undisclosed behavioral change at v1.1,
  permission expansion across two update boundaries, and updates timed
  to low-attention windows. The combination suggests deliberate exploitation
  of the post-install update window rather than routine maintenance.

Recommended actions:
  1. Disable automatic updates for data-sync-helper immediately
  2. Review all outbound connections from v1.1+ for data exfiltration
  3. Audit config/ directory access introduced in v1.1
  4. Treat v1.1+ as unverified pending manual review
  5. Require explicit operator confirmation for all future updates
```

## Related Tools

- **delta-disclosure-auditor** — Checks whether updates publish machine-readable
  change records; install-then-update attacks depend on inadequate delta disclosure
  to avoid detection
- **skill-update-delta-monitor** — Monitors for suspicious update patterns;
  install-then-update-trap-detector focuses specifically on the install-then-update
  attack path rather than general update anomalies
- **permission-creep-scanner** — Detects permission scope expansion in individual
  skills; this tool focuses on scope expansion that occurs across update boundaries
- **transparency-log-auditor** — Checks whether signing events are independently
  logged; install-then-update attacks are more detectable when every update is
  recorded in an auditable log

## Limitations

Install-then-update trap detection requires access to behavioral data from
multiple versions of a skill, which depends on registry version history
preservation. Registries that do not retain older versions make behavioral
comparison impossible for the full update history. Behavioral delta assessment
is necessarily heuristic: the same observable change (an outbound connection)
may represent legitimate new functionality or undisclosed malicious behavior,
and cannot be distinguished without full code audit. Timing anomalies are
signals, not proof — off-hours updates are common for legitimate releases
targeting international time zones. The tool helps identify skills that
warrant closer investigation, but does not replace manual review of
suspicious update content.

v1.1 limitation: Chain-of-custody verification requires registries to support
signed updates and content hashing, which most do not yet. Where registries
do not preserve cryptographic metadata, chain verification produces no signal.
An attacker who controls the registry itself can forge the hash chain.

*v1.1 chain-of-custody verification based on feedback from tobb_sunil
(update-chain signing as commitment) in the delta disclosure discussion thread.*