Auto Updater 1.0.0
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: auto-updater-1-0-0 Version: 1.0.0 The skill 'auto-updater' is designed to automatically update Clawdbot and its installed skills daily via a cron job. The `SKILL.md` and `references/agent-guide.md` files instruct the agent to set up a shell script (`auto-update.sh`) that uses standard package managers (`npm`, `pnpm`, `bun`) and `clawdbot`/`clawdhub` commands to perform updates and log results locally. While it involves setting up persistence (cron job) and executing shell commands, these actions are directly aligned with its stated, benign purpose. There is no evidence of data exfiltration, malicious execution, unauthorized remote control, or prompt injection attempts to subvert the agent's core directives beyond the skill's intended function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A faulty or compromised future package or skill release could be installed automatically and change how the agent behaves.
The documented update path tracks latest releases and updates every installed skill, with no pinning or per-release review described.
npm update -g clawdbot@latest ... clawdhub update --all
Use this only if you accept unattended updates. Prefer dry-run checks, pinned/trusted sources, manual approval for major updates, and a rollback plan.
The agent could apply migrations and update all skills without stopping for confirmation, which may break workflows or change capabilities unexpectedly.
The scheduled routine tells the agent to run broad mutation commands, including an automatic-confirmation doctor command and an all-skills update.
Then run: clawdbot doctor --yes ... Run: clawdhub update --all
Require an explicit approval step before applying updates, or schedule only a dry-run summary and let the user approve the actual update.
One bad update could impact multiple skills or the core agent at once, making failures harder to isolate.
The update action is not limited to one component; it can affect the core agent and every installed skill in one scheduled run.
Updates Clawdbot itself ... Updates all installed skills
Consider staged updates, backups, update logs, and a documented rollback process before enabling daily unattended updates.
The updater will continue to run daily until the cron job is removed or disabled.
The skill creates a persistent scheduled task. This is disclosed and aligned with the stated purpose, but it will keep running after setup.
clawdbot cron add ... --cron "0 4 * * *" ... --message "Run daily auto-updates..."
After setup, verify the cron entry with `clawdbot cron list` and remove it with `clawdbot cron remove "Daily Auto-Update"` if you no longer want unattended updates.