ClawHub

Smart Auto Updater

v1.0.0

Smart auto-updater with AI-powered impact assessment. Checks updates, analyzes changes, evaluates system impact, and decides whether to auto-update or just report. Perfect for hands-off maintenance with safety guarantees.

3· 2.7k·22 current·22 all-time
by王睿 Ray@ruiwang20010702
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the instructions: checking OpenClaw and ClawHub updates, analyzing changelogs with an LLM, classifying risk, and deciding whether to apply updates is coherent with an 'auto-updater' skill. Requesting no required binaries or credentials in metadata is plausible for an instruction-only skill that expects the platform's openclaw CLI and agent runtime to already provide access.
!
Instruction Scope
SKILL.md and references instruct the agent to read/write local config (~/.config/smart-auto-updater.env), write logs (~/.logs/smart-auto-updater.log), add cron jobs (openclaw cron add), and deliver reports to external channels. Those file paths and operational behaviors are not declared in the skill metadata. The instructions also refer to webhook environment variables and gateway status checks — the skill therefore reads and transmits system update state and may send data externally, which is broader than the declared surface.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write/execute; that lowers install-time risk. There is no download or archive extraction described in the package metadata.
!
Credentials
The metadata declares no required env vars, but the documentation references many optional environment variables (AI model, auto-update thresholds, SMART_UPDATER_*), webhook URLs (FEISHU/SLACK/DISCORD), logging paths, and channel settings. Because these variables control where reports are sent and whether auto-updates occur, the absence of declared required credentials means the skill's external communication surfaces and secret requirements are under-specified and should be verified before use.
Persistence & Privilege
always is false (good), but the skill explicitly instructs creating recurring cron jobs and performing autonomous updates of OpenClaw/skills. Scheduling recurring sessions and enabling auto-update (even only for LOW risk by default) gives it persistent, recurring capability to act on the system. That's consistent with an updater but increases the risk if the skill is untrusted or misconfigured.
What to consider before installing
What to consider before installing/using: - Trust & provenance: The skill has no source/homepage and no code files — treat it like opaque instructions. Prefer skills with a verifiable repository and maintainer. - Config & secrets: The docs reference many environment variables and webhook URLs (feishu/slack/discord) but the metadata declares none. Before enabling, ensure you control any webhook endpoints the skill will use and avoid putting sensitive credentials into untrusted agents. - Persistence: The skill can create cron jobs and auto-apply updates (including OpenClaw/core skills). If you enable auto-update, start with conservative settings (AUTO_UPDATE=NONE or LOW risk tolerance) and run in dry-run mode first. - Least privilege testing: Run the skill in an isolated or staging environment first. Inspect any created files (~/.config/smart-auto-updater.env, ~/.logs/smart-auto-updater.log) and review scheduled crons (openclaw cron list or system cron) before allowing it to run in production. - Auditability: Because the skill will fetch changelogs and may send reports externally, ensure logs and report destinations are monitored for unexpected content or destinations. Things that would change this assessment: presence of a public source repo or installable package that shows exact commands run, explicit declaration of required env vars/credentials in the metadata, or code files showing no unexpected network/file operations. Without that, the metadata/instructions mismatch (config files and webhooks referenced but not declared) makes the package suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ftsk1g0vaqc2642f48rn3n80nx7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments