Auto Updater 1.0.0

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill is clearly an auto-updater, but it sets up a persistent daily job that can change Clawdbot and every installed skill without per-update review.

Install this only if you intentionally want unattended daily updates of Clawdbot and every installed skill. Safer operation would be to run `clawdhub update --all --dry-run` on a schedule, review the summary, and approve the actual update manually.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A faulty or compromised future package or skill release could be installed automatically and change how the agent behaves.

Why it was flagged

The documented update path tracks latest releases and updates every installed skill, with no pinning or per-release review described.

Skill content

npm update -g clawdbot@latest ... clawdhub update --all

Recommendation

Use this only if you accept unattended updates. Prefer dry-run checks, pinned/trusted sources, manual approval for major updates, and a rollback plan.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

The agent could apply migrations and update all skills without stopping for confirmation, which may break workflows or change capabilities unexpectedly.

Why it was flagged

The scheduled routine tells the agent to run broad mutation commands, including an automatic-confirmation doctor command and an all-skills update.

Skill content

Then run: clawdbot doctor --yes ... Run: clawdhub update --all

Recommendation

Require an explicit approval step before applying updates, or schedule only a dry-run summary and let the user approve the actual update.

Medium

#ASI08: Cascading Failures

What this means

One bad update could impact multiple skills or the core agent at once, making failures harder to isolate.

Why it was flagged

The update action is not limited to one component; it can affect the core agent and every installed skill in one scheduled run.

Skill content

Updates Clawdbot itself ... Updates all installed skills

Recommendation

Consider staged updates, backups, update logs, and a documented rollback process before enabling daily unattended updates.

Low

#ASI10: Rogue Agents

What this means

The updater will continue to run daily until the cron job is removed or disabled.

Why it was flagged

The skill creates a persistent scheduled task. This is disclosed and aligned with the stated purpose, but it will keep running after setup.

Skill content

clawdbot cron add ... --cron "0 4 * * *" ... --message "Run daily auto-updates..."

Recommendation

After setup, verify the cron entry with `clawdbot cron list` and remove it with `clawdbot cron remove "Daily Auto-Update"` if you no longer want unattended updates.