OpenClaw Auto‑Updater (Safe + Scheduled + Summary)
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This updater is clearly described, but it schedules unattended changes to OpenClaw and all installed skills, which is high-impact and should be reviewed carefully.
Install only if you intentionally want unattended OpenClaw and skill updates. Start with dry-run mode, avoid updating all skills blindly if any are sensitive or mission-critical, keep rollback backups, and ensure you know how to remove or pause the cron schedule.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future updates could change the agent platform and every installed skill automatically, including changes the user has not reviewed.
The default scheduled task applies OpenClaw updates with an automatic yes flag and updates all installed skills without per-run user approval.
--message "Run daily auto-updates: 1) openclaw update --yes --json 2) clawdhub update --all 3) report versions updated + errors."
Prefer the documented dry-run mode first, then use a scoped update plan with explicit approval, exclusions for sensitive skills, and a rollback or restore procedure.
A bad, incompatible, or compromised upstream update could be installed automatically and affect the agent environment.
The optional helper pulls latest global OpenClaw packages and updates all skills without pinning versions or requiring review of the new artifacts.
npm update -g openclaw@latest ... pnpm update -g openclaw@latest ... bun update -g openclaw@latest ... clawdhub update --all
Use trusted registries, review changelogs, consider pinning or staging versions, and test updates before applying them to the main OpenClaw environment.
The updater will keep operating on its schedule until the user edits or removes the cron job.
The skill intentionally creates a persistent recurring cron job that wakes and delivers update work automatically.
openclaw cron add ... --cron "30 3 * * *" ... --session isolated ... --wake now ... --deliver
Set a maintenance window, document how to disable the job, and periodically review whether automatic updates are still desired.