Openclaw Update
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-update-skill Version: 1.1.1 The skill bundle is designed to check for and apply OpenClaw updates using standard `openclaw` CLI commands and `pnpm`. All commands and instructions in `SKILL.md` and `skills/SKILL.md` are directly related to this stated purpose. There is no evidence of data exfiltration, malicious execution (beyond the intended update process), persistence mechanisms, or prompt injection attempts against the agent. The `OPENCLAW_UPDATE_CHECK_URL` environment variable is a configuration option, not an active malicious redirection by the skill itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the agent could change the installed OpenClaw version and briefly disrupt or alter gateway behavior.
These commands can update the global OpenClaw installation and restart the gateway. That is aligned with the updater purpose, but it is a high-impact operation that should be user-approved.
pnpm add -g openclaw # Restart gateway after update openclaw gateway restart
Only allow update and restart commands after confirming the target version, expected downtime, and rollback plan.
A compromised or unexpected upstream package version could be installed if the update is run without verification.
The workflow updates to the latest package rather than a pinned version. This is expected for an updater, but it means the installed code depends on the current upstream package state.
# Update to latest version pnpm add -g openclaw
Review the OpenClaw release notes and package source before updating; consider pinning a specific version for controlled environments.
A scheduled check could continue running after initial setup and may produce ongoing system activity.
The skill suggests optional scheduled checks. This is disclosed and limited to update checking, but cron creates persistent background behavior if the user configures it.
**Automatic update checks**: Configure cron jobs for periodic update checks
Configure cron jobs only intentionally, keep them visible and logged, and avoid automatic updates unless separately approved.