Self Updater
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This updater is purpose-aligned, but it asks users to run an absent PowerShell updater that can automatically change OpenClaw core and installed skills, including unattended approval.
Install only if you are comfortable with an updater changing OpenClaw core, installed skills, and the gateway. Before enabling AutoUpdate, AutoApprove, Quiet, or cron use, obtain and inspect the missing self-updater.ps1 script from a trusted repository, run check-only mode first, back up your OpenClaw configuration, and use limited notification credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You cannot verify from the packaged artifacts what code would actually perform the updates, restarts, notifications, or approval checks.
The skill's core behavior depends on a PowerShell script referenced in SKILL.md, but that script is not included in the reviewed package. Because the missing implementation would update OpenClaw core and installed skills, this is a material provenance and reviewability gap.
No install spec — this is an instruction-only skill. ... No code files present — this is an instruction-only skill. ... File manifest: README.md, SKILL.md
Do not run the updater until you have obtained and reviewed the referenced script from a trusted source, verified its checksum or repository provenance, and confirmed it only performs the intended update actions.
A scheduled run could update core components or skills and restart the gateway without you seeing or approving each high-risk change.
The documented unattended path uses AutoApprove and Quiet for scheduled updates. The same artifact says the skill updates both OpenClaw core and installed skills and can restart the gateway, so this can materially change the agent environment without interactive review.
# Full automation (for cron) powershell -ExecutionPolicy Bypass -File scripts/self-updater.ps1 -AutoUpdate -SmartTiming -AutoApprove -Quiet
Use check-only mode first, avoid AutoApprove/Quiet unless you fully trust the implementation, keep backups, and require manual approval for core, gateway, or bulk skill updates.
If the referenced script is replaced or obtained from an untrusted source, it could run with your local user privileges.
Running a local PowerShell script is central to an updater, but ExecutionPolicy Bypass lowers local script-execution restrictions and should only be used with trusted, reviewed scripts.
powershell -ExecutionPolicy Bypass -File scripts/self-updater.ps1
Run only a known-good script from a trusted path, inspect it before use, and avoid bypassing execution policy unless necessary.
If these environment variables are exposed or over-privileged, someone could misuse the associated bot or app integration.
Notification credentials are purpose-aligned for Telegram/Feishu alerts, but they are still credentials that grant access to external messaging integrations.
optional_envs: - TELEGRAM_BOT_TOKEN - FEISHU_APP_ID - FEISHU_APP_SECRET
Use least-privilege notification credentials, configure them only if notifications are needed, and rotate them if they may have been exposed.
Local schedule/config data may reveal workflow timing and can influence updater behavior if the files are inaccurate or modified.
The skill intentionally reads persistent local configuration and cron schedule data to decide update timing. This is aligned with the stated cron-aware purpose, but the cron file becomes trusted context that affects when updates run.
Reads: `~/.openclaw/openclaw.json` (port only), `~/.openclaw/cron/jobs.json`
Ensure OpenClaw config and cron files are readable only by trusted users and review them before enabling unattended smart-timing updates.