ClawHub
Back to skill
v1.0.0

Auto Updater Andy27725

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:13 AM.

Analysis

This skill is clear about creating daily auto-updates, but it would let a scheduled job change Clawdbot and every installed skill without reviewing each update.

GuidanceInstall only if you are comfortable with unattended changes to Clawdbot and every installed skill. Safer use would be to run dry-run checks, review available updates, and approve changes manually, especially on important or sensitive agent setups.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
references/agent-guide.md
Then run: clawdbot doctor --yes ... Run: clawdhub update --all

The recommended cron message directs the agent to run high-impact update and migration commands automatically, including an all-skills update and a yes flag.

User impactThe scheduled agent could alter the bot runtime and every installed skill without prompting for each individual change; faulty updates could break workflows or change behavior.
RecommendationPrefer a dry-run or notify-first workflow, require user approval before applying updates, limit which skills can be updated automatically, and keep a rollback plan.
Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
SKILL.md
npm update -g clawdbot@latest ... clawdhub update --all

The skill recommends unpinned latest/global updates and update-all behavior from external package or skill registries without artifact-shown verification, changelog review, or rollback.

User impactA compromised, mistaken, or incompatible upstream release could be pulled into the agent automatically and affect future agent behavior.
RecommendationUse trusted sources, pin or approve versions where possible, review changelogs before applying updates, and verify signatures or checksums if the ecosystem supports them.
Rogue Agents
SeverityMediumConfidenceHighStatusConcern
SKILL.md
clawdbot cron add ... --cron "0 4 * * *" ... --session isolated ... --wake now ... --deliver

The skill creates a persistent scheduled job that wakes an isolated session and delivers results daily; this continues until removed.

User impactAfter setup, the updater keeps running and making changes on a schedule, possibly when the user is not actively watching.
RecommendationConfirm the schedule and permissions before enabling it, know how to remove the cron job, and consider making the job report available updates instead of applying them automatically.