CrazyOzzy Auto Updater
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future scheduled run could change or break the assistant and installed skills before you review the exact updates.
This instructs a scheduled agent to run local update tools that mutate the OpenClaw runtime and every installed skill. The artifacts do not define per-update approval, pinning/exclusions, rollback, or failure containment.
Use an **isolated scheduled agent turn** that: 1. Runs `openclaw update` ... 2. Runs `clawhub update --all`
Use dry-run or confirmation-first setup for initial runs, keep backups or rollback plans, pin or exclude sensitive skills, and review update summaries.
The updater may continue running on its schedule and making changes even when you are not actively using the agent.
The recurring scheduled job is disclosed and matches the purpose, but it is persistent automation that will keep running after setup unless disabled.
This skill helps set up an automated job that: 1. Updates **OpenClaw** itself 2. Updates installed skills via **ClawHub**
Confirm the schedule, notification path, and disable/removal process before enabling it.
It is harder to verify who published or maintained a skill that can configure broad automatic updates.
The embedded owner ID differs from the registry owner ID shown in the provided metadata, and the registry lists the source as unknown with no homepage. Because this is instruction-only, this is a provenance note rather than direct malicious behavior.
"ownerId": "kn73fehpspmvrqqdvz7jjdb50d7z4h5s"
Verify the publisher and install only from a trusted registry/source before enabling unattended updates.