ClawHub

qwencloud-update-check

v0.1.0

[QwenCloud] Check for qwencloud-ai updates and notify the user when a new version is available. TRIGGER when: user asks to check for updates, check version,...

0· 82·0 current·0 all-time
by@cuixiaoyang123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md: the scripts fetch a remote version.json (default from raw.githubusercontent.com for QwenCloud/qwencloud-ai), compare semver to the local version.json, and surface an update prompt. No unrelated credentials, binaries, or surprising installs are requested.
Instruction Scope
SKILL.md describes exactly what the code does. The runtime instructions and scripts only read the bundled version.json, optionally read skills-lock.json and .agents/state.json in the repo tree, write a timestamp to the repo's .agents/state.json, and perform an HTTPS GET to a GitHub raw URL. They do not collect other system files or transmit arbitrary local data.
Install Mechanism
There is no install spec; this is instruction-plus-stdlib Python code. No external archives or nonstandard download URLs are used. Remote network access is limited to a GitHub raw URL (urllib).
Credentials
No secrets or credentials are required. One environment variable (QWEN_SKILLS_REPO) can override the GitHub repo used for the version check — this is reasonable for configurability but means a user-set env var could redirect checks to a different repository.
Persistence & Privilege
The skill writes a small state file at <repo_root>/.agents/state.json (last_interaction, never_install) to rate-limit prompts and record user choices. This is expected for a notification/rate-limit feature, but it does persist across sessions and is shared with gossamer.py.
Assessment
This skill appears to do only what it says: compare the bundled version.json to a remote version.json on GitHub and store a timestamp in your repo's .agents/state.json to avoid repeated prompts. Before installing, be aware that (1) it will create/modify <repo_root>/.agents/state.json in the repository where your agent runs, (2) you can override the remote repo via the QWEN_SKILLS_REPO env var (so don’t set that to an untrusted URL), and (3) gossamer.py may print instructions suggesting an npx install command (it constructs the string but does not run it). If you want extra assurance, review the two included Python scripts (they are stdlib-only and short) and run them in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v6yb5abhq50hcz2dbwg0an83xmfa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments