ClawHub

Weekly Skills Update

v0.1.0

每周自动更新技能并推送摘要。当收到"执行技能每周更新"或"skills-weekly-update"触发时,运行 clawhub update --all 并更新 SKILLS_INDEX.md,最后推送摘要给用户。

0· 316·3 current·3 all-time
by@ken0122
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description state a weekly update that runs clawhub update --all, updates SKILLS_INDEX.md, and pushes a summary — the SKILL.md does exactly that. No unexpected external credentials or unrelated binaries are requested.
Instruction Scope
The runtime instructions explicitly cd into ~/.openclaw/workspace, run clawhub update --all, write output to /tmp/skills-update-output.txt, parse results, update SKILLS_INDEX.md, and save logs. This is within the expected scope, but there are ambiguous/mistyped paths (e.g., log path uses ~/clawd/workspace which is inconsistent with ~/.openclaw) and an unspecified push target ('current session (飞书/主会话)'), which could cause accidental writes or unexpected destinations. The skill will read and write files under the user's home and /tmp and will perform network operations via clawhub.
Install Mechanism
This is instruction-only with no install spec or downloaded code — lowest install risk. The SKILL.md only suggests installing clawhub via npm if missing, which is a local package manager command and not executed by the skill itself.
Credentials
The skill declares no environment variables or credentials, and the instructions do not request secrets. It only relies on a local clawhub binary and filesystem access, which are proportional to the described function.
Persistence & Privilege
always is false and the skill is user-invocable. The skill will modify local files (SKILLS_INDEX.md and logs) and runs clawhub --all which updates other installed skills. This is expected for an updater but gives the skill effective write/update capability across the agent's skill workspace — verify you want automated updates to run and modify those files.
Assessment
This skill appears to do what it claims, but review a few things before enabling it: (1) It will run clawhub update --all and perform network updates that can modify many installed skills — only enable if you trust the clawhub source/registry. (2) It writes to ~/.openclaw/workspace, /tmp, and a log path that appears mistyped as ~/clawd/workspace — fix the path or confirm intended locations to avoid accidental writes. (3) The push destination for the summary is vague (mentions Feishu/current session); confirm which channel/session will receive the summary to avoid leaking information. (4) Consider backing up SKILLS_INDEX.md and your skills directory before first run, and run the update manually once to observe behavior. If you want higher assurance, request the exact clawhub binary/package provenance or a versioned install instruction.

Like a lobster shell, security has layers — review code before you run it.

latestvk97291tnkypj25y81wk20knyxd827wwx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments