ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auto Updater Pro

v1.1.0

Enhanced auto-updater with detailed logging, missed run recovery, and Gateway restart protection.

2· 546·9 current·9 all-time
by@newolf20000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md tells the agent to update Clawdbot and installed skills, set up a cron job, log progress, and report results. Referenced commands (clawdbot, clawdhub, npm/pnpm/bun) are appropriate for this purpose and no unrelated credentials or binaries are requested.
Instruction Scope
Instructions stay within update/log/report scope and only read/write log and script files under the user's home (~/.clawdbot, ~/.openclaw). They instruct running global package updates and clawdhub update --all (expected for an updater). Note: the guide suggests using sudo to fix EACCES errors — upgrading globally may require elevated privileges; the user should avoid running automated sudo without understanding implications. Email/chat delivery is referenced but relies on existing Clawdbot delivery config (no SMTP details included).
Install Mechanism
No install spec and no code files — instruction-only. Nothing is downloaded from external URLs or written to arbitrary system paths by the skill itself, so installation risk is low.
Credentials
The skill declares no required env vars or credentials and the runtime instructions do not request secrets. It relies on local tools and existing Clawdbot delivery configuration for reporting; this is proportionate to its function.
Persistence & Privilege
The skill is not always:true and uses Clawdbot's cron (expected). It will cause system changes when run (updating software and writing logs), which is inherent to an auto-updater. Users should be aware updates will modify other skills (supply-chain risk) and that autonomous runs will perform those updates unless cron/skill is disabled.
Assessment
This skill is coherent with its stated purpose, but take these precautions before enabling automatic runs: 1) Run the update flow manually or as a dry-run first (clawdhub update --all --dry-run) to inspect what will change. 2) Backup or snapshot any important configuration/data — updating skills can alter behavior. 3) Confirm where update reports/emails will be delivered and that those delivery credentials are correct. 4) Avoid blindly granting sudo to cron jobs; prefer fixing permissions for the Gateway user or using non-global installs where possible. 5) Review changelogs of updated skills (or run in an isolated session) if you have security-sensitive integrations. Overall, the skill appears legitimate and instruction-only, not requesting unrelated access, but automatic updates carry inherent supply-chain risk — monitor first runs closely.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ceme7avbhh4fhe46tnj903d81m907

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
OSmacOS · Linux

Comments