ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Muguozi1 Openclaw Auto Updater

v1.0.0

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of w...

0· 128·1 current·1 all-time
by@muguozi1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (daily auto-update of Clawdbot and skills) matches the provided instructions (cron job, npm/pnpm/bun/git update flows and clawdhub update). However metadata and provenance are inconsistent: registry header lists 'Source: unknown' and 'Homepage: none' while _meta.json/repository point to GitHub and author is 'OpenClaw Team' — this mismatch reduces trust. Also the code/docs reference multiple CLIs (clawdbot, clawdhub, clawhub, clawdhub) which is inconsistent and could cause failures.
!
Instruction Scope
SKILL.md and references instruct the agent/user to create scripts in the user's home (~/.clawdbot/scripts/auto-update.sh), write logs, and run package manager commands that modify system-global packages (npm update -g, pnpm, bun) and run 'clawdhub update --all'. The instructions reference commands (clawdhub / clawhub / clawdbot / clawdhub) that are not declared in requires.* metadata. The skill thus instructs actions that touch system state and external network resources (package registries, git), which is expected for an updater but warrants careful review before enabling automatic runs.
Install Mechanism
No install spec (instruction-only) and no download/extract steps are present; that is lower-risk from an installer perspective. The delivered files are docs and small helper scripts (examples/test) which are benign, but the runtime instructions will execute external CLIs already present on the system.
Credentials
The skill requests no environment variables or credentials. Customization prompts mention provider delivery (e.g., Telegram) but do not require or declare API tokens. This is proportionate to an auto-update utility — it needs CLI availability and filesystem permissions rather than secrets.
Persistence & Privilege
always is false and the skill does not request persistent privileged presence. It instructs creating a per-user cron job and a per-user script (writes under the user's home), which is appropriate for a user-level auto-updater. No evidence it modifies other skills' configs or system-wide agent settings beyond the described cron job.
What to consider before installing
This skill appears to do what it says (set up daily updates), but review and test before enabling automatic runs. Actions to take before installing/enabling: - Confirm provenance: the package metadata and registry header conflict (source unknown vs _meta.json claiming OpenClaw GitHub). Verify the repository URL and author outside the registry. - Inspect the auto-update script it would create (~/.clawdbot/scripts/auto-update.sh) and run it manually in dry-run mode first (SKILL.md suggests `clawdhub update --all --dry-run`). - Fix or confirm CLI names: docs mix 'clawhub' and 'clawdhub' and use 'clawdbot'; ensure the correct binaries exist on your system (run `which clawdbot`, `which clawdhub`/`clawhub`). The examples/scripts call 'clawhub' while docs call 'clawdhub' — this may be a typo that causes failures. - Check filesystem and permission implications: global package updates (npm -g / pnpm -g / bun) may require elevated privileges and can modify globally installed packages — ensure you understand and have backups or ways to rollback. - Run the commands manually or with `--dry-run` first to confirm expected output and that summaries/parsing are correct. - If you will enable automatic delivery to external providers (Telegram, etc.), ensure tokens/credentials are provided separately and securely; the skill does not declare or require them. Given the inconsistencies and the fact the skill runs system-level update commands, treat it as trusted only after manual verification and a successful dry-run. If you are uncertain about the origin, prefer manual update workflows instead of enabling automatic cron-based updates.

Like a lobster shell, security has layers — review code before you run it.

latestvk977hpkdkchxyr7ktw00ac4151831k5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
OSmacOS · Linux

SKILL.md

Auto-Updater Skill

Keep your Clawdbot and skills up to date automatically with daily update checks.

What It Does

This skill sets up a daily cron job that:

  1. Updates Clawdbot itself (via clawdbot doctor or package manager)
  2. Updates all installed skills (via clawdhub update --all)
  3. Messages you with a summary of what was updated

Setup

Quick Start

Ask Clawdbot to set up the auto-updater:

Set up daily auto-updates for yourself and all your skills.

Or manually add the cron job:

clawdbot cron add \
  --name "Daily Auto-Update" \
  --cron "0 4 * * *" \
  --tz "America/Los_Angeles" \
  --session isolated \
  --wake now \
  --deliver \
  --message "Run daily auto-updates: check for Clawdbot updates and update all skills. Report what was updated."

Configuration Options

OptionDefaultDescription
Time4:00 AMWhen to run updates (use --cron to change)
TimezoneSystem defaultSet with --tz
DeliveryMain sessionWhere to send the update summary

How Updates Work

Clawdbot Updates

For npm/pnpm/bun installs:

npm update -g clawdbot@latest
# or: pnpm update -g clawdbot@latest
# or: bun update -g clawdbot@latest

For source installs (git checkout):

clawdbot update

Always run clawdbot doctor after updating to apply migrations.

Skill Updates

clawdhub update --all

This checks all installed skills against the registry and updates any with new versions available.

Update Summary Format

After updates complete, you'll receive a message like:

🔄 Daily Auto-Update Complete

**Clawdbot**: Updated to v2026.1.10 (was v2026.1.9)

**Skills Updated (3)**:
- prd: 2.0.3 → 2.0.4
- browser: 1.2.0 → 1.2.1  
- nano-banana-pro: 3.1.0 → 3.1.2

**Skills Already Current (5)**:
gemini, sag, things-mac, himalaya, peekaboo

No issues encountered.

Manual Commands

Check for updates without applying:

clawdhub update --all --dry-run

View current skill versions:

clawdhub list

Check Clawdbot version:

clawdbot --version

Troubleshooting

Updates Not Running

  1. Verify cron is enabled: check cron.enabled in config
  2. Confirm Gateway is running continuously
  3. Check cron job exists: clawdbot cron list

Update Failures

If an update fails, the summary will include the error. Common fixes:

  • Permission errors: Ensure the Gateway user can write to skill directories
  • Network errors: Check internet connectivity
  • Package conflicts: Run clawdbot doctor to diagnose

Disabling Auto-Updates

Remove the cron job:

clawdbot cron remove "Daily Auto-Update"

Or disable temporarily in config:

{
  "cron": {
    "enabled": false
  }
}

Resources

🏷️ 质量标识

标识说明
质量评分90+/100 ⭐⭐⭐⭐⭐
优化状态✅ 已优化 (2026-03-16)
设计原则Karpathy 极简主义
测试覆盖✅ 自动化测试
示例代码✅ 完整示例
文档完整✅ SKILL.md + README.md

备注: 本技能已在 2026-03-16 批量优化中完成优化,遵循 Karpathy 设计原则。

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…