ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Updater 1.0.0 (1)

v1.0.0

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of w...

0· 281·2 current·2 all-time
by@gwsq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: it sets up a cron job or helper script to run clawdbot/clawdhub update commands. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Instructions explicitly run package manager global updates (npm/pnpm/bun), clawdbot update/doctor, and clawdhub update --all, and write logs under ~/.clawdbot. These actions are within the updater's purpose but do perform system-level updates and may require elevated permissions; they also execute code obtained from the registry (expected for an updater), so you should ensure you trust the registry and have rollback/backups.
Install Mechanism
Instruction-only skill with no install spec and no downloaded artifacts. No archive downloads or external install URLs are present.
Credentials
The skill declares no env vars or credentials, which is coherent because it relies on the existing Clawdbot/Gateway configuration for delivery. However, it assumes the agent/system already has provider/delivery credentials and sufficient permissions to run global package updates; verify those are appropriately scoped.
Persistence & Privilege
Does not request always:true, does not modify other skills' configs. It recommends creating a cron job and an updater script under the user's ~/.clawdbot area, which is appropriate for this purpose.
Assessment
This skill appears to do what it says: add a cron job or script that runs clawdbot and clawdhub update commands daily and reports a summary. Before enabling: 1) Confirm you trust Clawdbot/ClawdHub and the registry they pull updates from (automated updates will run code fetched remotely). 2) Test with a dry-run (clawdhub update --all --dry-run) and run the script manually to inspect logs (~/.clawdbot/logs/auto-update.log) before scheduling. 3) Ensure the user/Gateway has only the necessary permissions (avoid running global package updates as root if possible). 4) If you deliver summaries to external providers (Telegram, etc.), verify those provider credentials are configured elsewhere and scoped appropriately. 5) Keep a rollback or backup plan in case an update breaks your setup.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nfwfay0nb0z78ecarfsyt582b8dk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
OSmacOS · Linux

Comments