Pg Update
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly consistent with updating ProxyGate, but it also directs global package updates and installs/refreshes agent skills without clearly bounded approval or rollback.
Install only if you are comfortable letting the agent update global npm packages and refresh ProxyGate-related skills. Before proceeding, ask the agent to show the exact commands, confirm the target versions, and avoid any auth, wallet, deposit, withdrawal, or unrelated ProxyGate commands during the update.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Allowing the workflow could change both your local ProxyGate installation and your agent's available skills, not just check for an update.
These commands are part of the stated update process and can change the global CLI installation and installed agent skills. The artifact does not require explicit user approval, list which skills will change, or provide rollback/containment guidance.
npm install -g @proxygate/cli@latest proxygate --version # verify ... proxygate skills install
Require explicit confirmation before running install/update commands, show the exact package version and skills to be installed, and document how to undo or pin changes.
A compromised or breaking upstream release could be installed into the user's environment.
Using `@latest` from npm is expected for an update skill, but it means the user is accepting the newest external package code rather than a pinned, reviewed version.
npm install -g @proxygate/cli@latest ... npm install @proxygate/sdk@latest
For sensitive environments, verify the package source/release notes or pin to a specific known-good version before installing.
If wired into session startup, the skill may run a network version check and write a cache file automatically when the agent starts.
The script is intended as a persistent session-start update check. Its code only checks versions, writes a cache file, and prints a notification, but the automatic hook is not described in the install metadata.
# ProxyGate update checker — runs on Claude Code SessionStart. # Writes result to ~/.claude/cache/proxygate-update-check.json.
Make the startup hook visible to users and provide a clear way to disable it; keep it limited to notification-only behavior.
If the agent strays beyond the update task, it has reference material for commands involving credentials or funds.
The bundled CLI reference documents credential, wallet, deposit, and withdrawal commands. These are not part of the update workflow, but they are broader account-authority instructions included with the skill.
--keypair <path> — Path to Solana keypair JSON file --api-key <key> — Override API key ... proxygate deposit -a 5000000 proxygate withdraw -a 2000000
During update tasks, do not provide API keys, wallet keypairs, or authorize financial commands unless that is explicitly your goal.