Back to skill
Skillv1.0.0
ClawScan security
OpenClaw Upgrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 1:01 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide that coherently explains using yarn to upgrade OpenClaw in environments that cannot access GitHub; it requests no extra credentials or installs and contains no surprising behavior, though global package installs inherently run code and can change system state.
- Guidance
- This skill is coherent with its purpose, but take ordinary precautions before running system-level package installs: 1) Installing a package globally will run the package's install scripts (and scripts of its dependencies) — verify the package source and checksum when possible. 2) Prefer testing the upgrade in a staging environment first and back up configuration. 3) Global installs may require sudo and can change system-wide binaries; consider installing to a non-root environment or using a container if you need isolation. 4) If you switch registries (e.g., registry.npmmirror.com), ensure the mirror is trusted. 5) If network restrictions remain, consider obtaining the package tarball from a trusted mirror or vendor and installing it offline.
Review Dimensions
- Purpose & Capability
- okName and description (upgrade OpenClaw when GitHub is inaccessible) match the instructions: using yarn global add, checking status, switching registries, and restarting Gateway. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteInstructions are narrowly scoped to installing/upgrading via yarn, verifying installation, and optional restart. They do direct system-level actions (global install, which may require sudo, and restarting gateway) — these are expected for an upgrade but are impactful and should be run with caution.
- Install Mechanism
- okThe skill contains no install spec and is instruction-only (lowest installer risk). The recommended yarn global add uses the public npm/yarn ecosystem — no arbitrary download URLs are suggested.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The SKILL.md only suggests changing yarn registry (e.g., to registry.npmmirror.com), which is consistent with the stated goal.
- Persistence & Privilege
- okSkill is not forced-always, and does not attempt to persist itself or modify other skills. Autonomous invocation is allowed by default but not combined with other privilege escalations.