OpenClaw Update Checker
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will contact npm and inspect local OpenClaw package metadata, but the artifacts show no file writes or update actions.
The skill uses local file reads and an outbound registry request; these are clearly disclosed and aligned with checking the installed version against npm.
**File reads:** `/usr/lib/node_modules/openclaw/package.json` and `/usr/local/lib/node_modules/openclaw/package.json` ... **Network:** Single HTTPS GET to `https://registry.npmjs.org/openclaw`
Use it when you are comfortable with a public npm registry lookup; no extra permissions or credentials appear necessary.
There is less external provenance information than ideal, although the supplied source is short and consistent with the stated behavior.
The registry metadata does not provide an upstream source or homepage, so users must rely on the included artifacts for provenance review.
Source: unknown Homepage: none
Review the included script before installing if provenance matters in your environment.