Skill Update Helper
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about updating skills, but its scheduled workflow can automatically change every installed skill without fresh approval or rollback guidance.
Use this only if you are comfortable with an agent changing all installed skills. Prefer scheduled dry-run reports, require manual approval before applying updates, review how to disable the cron job, and verify the publisher mismatch before trusting it.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A recurring task could change the user's installed skills and future agent behavior automatically.
The scheduled task applies updates to all installed skills, not just checks for updates, and the instructions do not require a dry-run, per-run approval, or rollback plan.
For a scheduled daily check, create an isolated cron run that asks the agent to: 1. check OpenClaw version/update status 2. run `clawhub update --all`
Require `clawhub update --all --dry-run` first, ask for explicit approval before applying updates, support updating specific skill slugs, and document rollback or version-pinning steps.
The agent may keep performing scheduled update checks or updates until the cron task is changed or removed.
Recurring cron-based agent activity is disclosed and purpose-aligned, but it is persistent automation that can continue after setup.
When the user asks for an automatic reminder or recurring update task, use OpenClaw cron with an isolated agent turn.
Show the user the exact schedule and task text, explain how to pause or remove it, and prefer report-only scheduled checks unless the user explicitly opts into automatic updates.
It is less clear which publisher identity is authoritative for a skill that can update other installed skills.
The supplied registry metadata lists a different owner ID, `kn77zzg9p845zanvy6vrf76k7d81mcnm`, creating a provenance ambiguity.
"ownerId": "kn73fehpspmvrqqdvz7jjdb50d7z4h5s"
Verify the publisher identity before installation and resolve the registry/package owner mismatch.