Weekly Skills Update
v0.1.0每周自动更新技能并推送摘要。当收到"执行技能每周更新"或"skills-weekly-update"触发时,运行 clawhub update --all 并更新 SKILLS_INDEX.md,最后推送摘要给用户。
⭐ 0· 323·3 current·3 all-time
by@ken0122
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description state a weekly update that runs clawhub update --all, updates SKILLS_INDEX.md, and pushes a summary — the SKILL.md does exactly that. No unexpected external credentials or unrelated binaries are requested.
Instruction Scope
The runtime instructions explicitly cd into ~/.openclaw/workspace, run clawhub update --all, write output to /tmp/skills-update-output.txt, parse results, update SKILLS_INDEX.md, and save logs. This is within the expected scope, but there are ambiguous/mistyped paths (e.g., log path uses ~/clawd/workspace which is inconsistent with ~/.openclaw) and an unspecified push target ('current session (飞书/主会话)'), which could cause accidental writes or unexpected destinations. The skill will read and write files under the user's home and /tmp and will perform network operations via clawhub.
Install Mechanism
This is instruction-only with no install spec or downloaded code — lowest install risk. The SKILL.md only suggests installing clawhub via npm if missing, which is a local package manager command and not executed by the skill itself.
Credentials
The skill declares no environment variables or credentials, and the instructions do not request secrets. It only relies on a local clawhub binary and filesystem access, which are proportional to the described function.
Persistence & Privilege
always is false and the skill is user-invocable. The skill will modify local files (SKILLS_INDEX.md and logs) and runs clawhub --all which updates other installed skills. This is expected for an updater but gives the skill effective write/update capability across the agent's skill workspace — verify you want automated updates to run and modify those files.
Assessment
This skill appears to do what it claims, but review a few things before enabling it: (1) It will run clawhub update --all and perform network updates that can modify many installed skills — only enable if you trust the clawhub source/registry. (2) It writes to ~/.openclaw/workspace, /tmp, and a log path that appears mistyped as ~/clawd/workspace — fix the path or confirm intended locations to avoid accidental writes. (3) The push destination for the summary is vague (mentions Feishu/current session); confirm which channel/session will receive the summary to avoid leaking information. (4) Consider backing up SKILLS_INDEX.md and your skills directory before first run, and run the update manually once to observe behavior. If you want higher assurance, request the exact clawhub binary/package provenance or a versioned install instruction.Like a lobster shell, security has layers — review code before you run it.
latest
每周技能自动更新
触发条件
当收到以下任一消息时激活:
- "执行技能每周更新"
- "skills-weekly-update"
- "运行技能更新脚本"
执行流程
1. 执行更新命令
cd ~/.openclaw/workspace
clawhub update --all 2>&1 | tee /tmp/skills-update-output.txt
2. 解析更新结果
统计:
- 更新成功的技能数量(✓ 标记)
- 已是最新的技能数量(up to date)
- 更新失败的数量(error/failed)
3. 更新 SKILLS_INDEX.md
如果技能有增减:
- 重新扫描技能目录
- 更新技能总数
- 更新「最后更新」日期
- 在更新日志中添加记录
4. 生成摘要并推送
摘要格式:
🌀 **技能每周更新摘要**
**更新时间**: YYYY-MM-DD HH:MM
**结果**:
- ✅ 更新成功:X 个
- ⏭️ 已是最新:Y 个
- ❌ 更新失败:Z 个
**更新详情**:
- skill-name-1: v1.0.0 → v1.0.1
- skill-name-2: v1.2.0 → v1.3.0
**SKILLS_INDEX.md**: 已更新/无需更新
---
*下次更新:下周日 09:00*
错误处理
- 如果 clawhub 命令不存在:提示用户安装
npm i -g clawhub - 如果更新失败:记录错误并继续
- 如果网络问题:重试 2 次,间隔 30 秒
注意事项
- 更新前不备份(clawhub 自动处理)
- 推送摘要到当前会话(飞书/主会话)
- 更新日志保存到
~/clawd/workspace/logs/skills-update-YYYYMMDD.md
Comments
Loading comments...