Skillv1.0.0

ClawScan security

Auto-Update (OpenClaw + Skills) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 10:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions (create an OpenClaw cron job, read/write ~/auto-update/*, run openclaw and clawhub update commands, and keep backups) match its stated purpose and there are no unexplained credentials, downloads, or hidden endpoints.
Guidance: This skill is coherent with its purpose, but review and approve what it will touch before enabling automation: 1) Inspect the proposed ~/auto-update/* templates and per-skill rules so auto-update boundaries are explicit. 2) Run the safer 'notify-first' / dry-run (clawhub update --all --dry-run) before enabling apply mode. 3) Be cautious about allowing backups of sensitive files (e.g., ~/.openclaw/credentials) — only include those after explicit consent and consider encrypting backups. 4) If workspace integration is offered, review any AGENTS.md edits before applying. 5) Remember the cron job will autonomously run update commands with whatever permissions the agent/session has — enable only if you trust that environment and the specified policies.

Review Dimensions

Purpose & Capability: okName/description promise (auto-update OpenClaw and skills) aligns with the required binaries (openclaw, clawhub), the control-folder under ~/auto-update/, and the runtime actions described (openclaw cron add, openclaw update, clawhub update). Nothing requested is unrelated to automated updating of OpenClaw and skills.
Instruction Scope: noteSKILL.md explicitly instructs reading and writing files under ~/auto-update/ and (optionally) inspecting OpenClaw workspace files (e.g., ~/.openclaw/*) and AGENTS.md/SOUL.md for workspace integration. These are reasonable for an updater, but they do mean the agent will access user home files and potentially workspace files — the skill documents this and asks for user approval before touching larger or sensitive scopes.
Install Mechanism: okInstruction-only skill with no install spec or remote downloads. No code is written to disk by the skill itself beyond its own control files in ~/auto-update/. This is the lowest-risk install model and matches its purpose.
Credentials: noteThe skill requests no environment variables or credentials. It does mention optional backups that could include sensitive files (e.g., ~/.openclaw/credentials/) but calls this out and requires explicit user decision. The absence of secret env requirements matches the updater purpose.
Persistence & Privilege: noteThe skill encourages creating a persistent scheduled job (openclaw cron add) that will autonomously run updates; always:false is set. Autonomous scheduled runs are expected for an updater, but the user should understand this creates ongoing automation that will execute update commands the agent instructs.