OpenClaw Update Checker
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently performs a read-only OpenClaw version check by reading local package metadata and querying the public npm registry.
This appears safe for its stated purpose. Before installing, note that it will make a public HTTPS request to npm and read OpenClaw's global package.json, and that the registry entry does not provide a source repository or homepage.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will contact npm and inspect local OpenClaw package metadata, but the artifacts show no file writes or update actions.
The skill uses local file reads and an outbound registry request; these are clearly disclosed and aligned with checking the installed version against npm.
**File reads:** `/usr/lib/node_modules/openclaw/package.json` and `/usr/local/lib/node_modules/openclaw/package.json` ... **Network:** Single HTTPS GET to `https://registry.npmjs.org/openclaw`
Use it when you are comfortable with a public npm registry lookup; no extra permissions or credentials appear necessary.
There is less external provenance information than ideal, although the supplied source is short and consistent with the stated behavior.
The registry metadata does not provide an upstream source or homepage, so users must rely on the included artifacts for provenance review.
Source: unknown Homepage: none
Review the included script before installing if provenance matters in your environment.