Clawdbot Release Check
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently checks GitHub for Clawdbot releases and can optionally create a daily notification job, with no artifact-backed malicious behavior found.
This appears safe for its stated purpose. Before installing the cron setup, confirm you want a persistent daily release check and that the Telegram/Discord/WhatsApp destination is correct; uninstall the job if you no longer want scheduled notifications.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you run setup, the checker may continue sending daily release notifications until you uninstall the job.
The setup script can create a persistent daily agent job that runs the release check and sends output. This is disclosed and purpose-aligned, but it continues until removed.
"enabled": true, "schedule": { "kind": "cron", "expr": ("0 " + $hour + " * * *") }, "payload": { "kind": "agentTurn", "message": ("UPDATE_CHECK: Run " + $script + " and if there is output, send it to the user.")Only run setup if you want scheduled checks, and use `scripts/setup.sh --uninstall` or review `~/.clawdbot/cron/jobs.json` if you want to remove it.
Release-check output, including version information and possibly the local Clawdbot path shown in update instructions, may be sent to the configured messaging destination.
Scheduled output is delivered through a configured messaging channel such as Telegram, WhatsApp, or Discord. This matches the notification purpose, but the recipient/channel should be chosen carefully.
"deliver": true, "channel": $channel, "to": $to
Use only a trusted recipient ID and channel, and avoid enabling scheduled delivery if you do not want this information sent off-device.
Setup may fail or behave differently on systems without these additional tools.
The registry requirements list curl and jq, but setup.sh also invokes uuidgen, and check.sh has an npm fallback for locating a global install. This is a small dependency-declaration gap rather than suspicious behavior.
JOB_ID=$(uuidgen | tr '[:upper:]' '[:lower:]')
Verify the needed tools are present before setup, or update the skill metadata to declare all binaries it may use.