ClawHub

Auto Updater.Bak 2026 01 28T18:01:13+10:30

v1.0.0

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.

1· 1.6k·0 current·2 all-time
by@nicoataiza
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the runtime instructions: the SKILL.md and references describe adding a cron job that runs clawdbot/clawdhub update commands and reports a summary. The commands and paths referenced (clawdbot, clawdhub, ~/.clawdbot scripts/logs) are coherent with an auto-update purpose.
!
Instruction Scope
The instructions instruct the agent to run global package manager updates and 'clawdhub update --all' to apply new versions automatically and to write/run a helper script under ~/.clawdbot. There are no steps for verifying update integrity (no checksums/signatures) or requiring interactive approval before applying updates. Automatic, unattended code installation from a registry can introduce malicious updates if the registry or package is compromised. The script emits an update summary that the agent parses — this is expected, but the skill does not limit what the summary might include (some update outputs could contain sensitive info).
Install Mechanism
This is an instruction-only skill with no install spec and no code files that would be fetched/installed by the skill itself. That minimizes installation risk from the skill bundle itself.
Credentials
The skill requests no environment variables or external credentials, which is proportional. However, it relies on system package managers and will run commands that may require elevated permissions (global npm/pnpm/bun updates, filesystem writes to ~/.clawdbot), so the user must ensure the executing account has appropriate, limited privileges.
Persistence & Privilege
The skill adds a cron job (via clawdbot cron add) to persist scheduled execution — this is consistent with its function. It is not marked always:true. Still, granting automatic periodic update capability is a high-impact privilege because it allows future unattended code changes to the agent and its skills; combine that with automatic apply behavior and the blast radius increases.
What to consider before installing
This skill does what it says (schedules and runs daily updates) and contains only instructions, but it will automatically apply updates to Clawdbot and every installed skill without integrity checks or explicit interactive approval. Before installing: - Consider enabling a dry-run mode first (clawdhub update --all --dry-run) and inspect outputs for a few runs. - Prefer manual or staged updates for third‑party skills, or require human approval before applying updates. - Ensure the Cron job runs as a minimally privileged user and that you have recent backups in case an update breaks things. - Verify the ClawdHub/registry reputation and consider pinning critical skills to known-good versions if possible. - Review the helper script path (~/.clawdbot/scripts/auto-update.sh) and log file location, and inspect logs regularly. Minor metadata note: _meta.json lists owner "maximeprades" while the registry metadata shows a different owner id — not necessarily malicious, but worth confirming the skill's origin before enabling automated updates.

Like a lobster shell, security has layers — review code before you run it.

latestvk97encdkc1jnrab4n2mt6cct7n802cez

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
OSmacOS · Linux

Comments