Auto Updater Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: auto-updater-pro Version: 1.1.0 The skill is classified as suspicious due to its reliance on creating and executing shell scripts (`auto-update.sh` in `references/agent-guide.md`) and directly instructing the AI agent to run powerful system commands (`npm update -g`, `clawdhub update --all`) via detailed markdown instructions in both `SKILL.md` and `references/agent-guide.md`. While the current instructions are aligned with the stated purpose of an auto-updater, this extensive use of direct agent instructions and shell execution represents a significant prompt injection vulnerability and RCE risk if the skill's content were to be tampered with. The broad system access required for its functionality, though necessary, also contributes to its high-risk nature.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A scheduled run could change the agent core or installed skills, introduce new behavior, or break workflows before you review the specific updates.
The agent guide instructs future unattended runs to apply migrations with automatic yes-confirmation and update every installed skill, which is broad mutation authority without a per-run approval gate.
Then run: clawdbot doctor --yes 2. Update all skills: - Run: clawdhub update --all
Use a dry-run or notification-first mode, require approval before applying updates, pin trusted versions where possible, and keep a rollback plan.
Updates may occur later or immediately after restart, even if you were not actively expecting the agent to make changes at that moment.
The recommended configuration tells the updater to run automatically if the Gateway was offline at the scheduled time, creating persistent autonomous behavior beyond a single user request.
missedRunPolicy: "run-immediately"
Enable this only after explicit opt-in, choose a safe schedule, consider disabling missed-run immediate execution, and know how to remove the cron job.
If a package or skill update is compromised or simply incompatible, the scheduled updater may install it automatically.
The documented updater pulls latest core and skill versions automatically from remote registries, but the artifacts do not describe pinning, signature verification, changelog approval, or source validation before applying new code.
npm update -g clawdbot@latest ... clawdhub update --all
Prefer trusted registries, signed or pinned releases, reviewed changelogs, and staged updates instead of applying all latest updates unattended.
It may be harder to verify who published or maintains a skill that is intended to manage future updates.
The packaged _meta.json ownerId differs from the registry owner ID shown in the supplied metadata, and the skill lists no source or homepage. This is a provenance gap rather than proof of malicious behavior.
"ownerId": "kn73fehpspmvrqqdvz7jjdb50d7z4h5s"
Verify the publisher and source before granting this skill auto-update authority.
Running updates with sudo or broad write permissions could let package or skill updates modify more of the system.
The troubleshooting guidance may lead users to grant elevated permissions to the updater. This can be expected for global installs, but it increases impact if an update behaves badly.
EACCES: Permission denied → suggest `sudo` or fixing permissions
Avoid unattended sudo. Prefer fixing ownership or using a least-privileged installation path for the agent and skills.
Local logs may reveal installed skill names, version history, and error output to anyone or any workflow that can read that workspace memory.
The skill stores persistent update logs in the agent workspace memory area, including commands, versions, status, and update output.
~/.openclaw/workspace/memory/openclaw-update-YYYY-MM-DD.md
Review log retention and access, and avoid including secrets in command output or update reports.