Self-Upgrade (Tianyi)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This self-maintenance skill is transparent about its purpose, but it can change OpenClaw configuration and handle auth tokens without a clearly enforced confirmation boundary.
Install only if you are comfortable with a self-maintenance skill that can inspect and update OpenClaw configuration. Before using automatic mode, confirm that all changes are shown first, backups are protected because they may contain tokens, and any skill updates or dependency changes require your explicit approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change its own configuration or run additional automatic repairs before the user has reviewed the exact changes.
The skill's own policy says config updates need user confirmation, but the shown workflow writes the OpenClaw config and runs a fixer command without showing a confirmation step.
中风险 | 配置字段更新、技能包安装 | 需用户确认 ... if ($config.gateway.authToken) { ... Set-Content $ConfigPath ... openclaw doctor --fix }Require an explicit user approval step before any config write, skill install/update, dependency change, or `doctor --fix` repair; make dry-run the default.
A mistake in the migration could break authentication or duplicate sensitive tokens into backups and rewritten config files.
The workflow reads and rewrites a local OpenClaw configuration file containing a gateway auth token, which is high-impact account/session-adjacent data.
$ConfigPath = "~\.openclaw\openclaw.json" ... if ($config.gateway.authToken) { ... token = $config.gateway.authToken ... Remove('authToken') }Declare the required config path and token handling in metadata, limit token migration to explicit user-approved runs, and clearly state where backups containing tokens are stored.
If a user runs a similarly named external script, its behavior may not match the reviewed artifact.
The skill references helper script and reference files, while the provided manifest contains only SKILL.md, so any separately obtained helper files would be outside this review.
### scripts/self-upgrade.ps1 ... ### references/upgrade-history.md ... ### references/config-schema.md
Only run helper scripts that are packaged with the skill or otherwise verified; include referenced files in the package for review.
Maintenance actions might occur during routine agent operation rather than only after a direct user request.
The skill describes automatic or periodic invocation conditions, although no actual persistence or scheduler code is included.
以下情况应触发本技能: ... 版本升级后首次启动 ... 技能加载失败 ... 定期维护(如每周一次健康检查)
Keep periodic or startup-triggered runs read-only unless the user has enabled them and approved any changes.