Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ollama Updater
v1.0.1Ollama Updater installs or updates Ollama with curl-based breakpoint resume, auto-retry, progress display, old version cleanup, and GPU driver detection.
⭐ 2· 670·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (install/update Ollama with resumable curl downloads) aligns with the included shell script (ollama-install.sh) and uses expected endpoints (ollama.com, GitHub raw URLs). However package metadata and docs claim additional files (main.py, a CLI wrapper 'ollama-updater', package.json 'bin' target) that are not present in the provided file manifest — this is a packaging/documentation mismatch.
Instruction Scope
SKILL.md and other docs instruct the agent/user to run commands that require root (sudo), create systemd units, add users/groups, and modify /usr/local/bin — all expected for an installer but high‑impact. More importantly, SKILL.md shows incorrect/ambiguous run instructions (e.g. 'bash /path/to/ollama-updater/main.py' — running bash on a .py and referencing main.py which is not present in the manifest), which is inconsistent and could lead an agent to attempt to run non-existent files or the wrong interpreter.
Install Mechanism
This is an instruction-only skill (no automated install spec). The script itself downloads from known domains (https://ollama.com and GitHub raw URLs) rather than obscure hosts. The script will write files and create systemd units when executed (expected for an installer), but there is no opaque third‑party binary download host or URL shortener in the provided content.
Credentials
No secrets or unrelated environment variables are requested. The script supports optional environment variables (OLLAMA_VERSION, OLLAMA_NO_START) but these are benign and documented. The SKILL.md does not declare these in a formal requires.env list, so the agent might not surface them clearly to users.
Persistence & Privilege
The installer intentionally requests elevated privileges (sudo/root) to install binaries, create a system user, and configure a systemd service — appropriate for a system service installer but high privilege. The skill is not always-enabled and does not request permanent automatic inclusion, which limits autonomous reach, but running it will modify system-wide settings and services.
What to consider before installing
This package appears to be an Ollama installer and its shell script behavior (resumable curl, extraction, systemd, user/group changes) is coherent with that purpose — but there are multiple red flags you should resolve before installing: 1) The manifest/docs reference files (main.py, CLI wrapper) that are not present; SKILL.md even shows 'bash .../main.py' which is wrong. This indicates sloppy packaging and increases risk of user/agent confusion. 2) The installer runs as root and will create users, write to /usr/local and /etc/systemd — review the script content (ollama-install.sh) line-by-line to confirm it only downloads from trusted hosts (ollama.com, GitHub) and makes expected changes. 3) Prefer to verify download integrity (checksums or signatures) for the Ollama binaries it fetches; consider running the script in a container or VM first if you’re unsure. 4) If you intend to let an agent invoke this skill autonomously, restrict that until you confirm the missing files and documentation inconsistencies are resolved. If you want, provide the missing files (main.py, wrapper) or a trustworthy upstream repository URL and I can re-evaluate with higher confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk976qf6ygp23zxw93p4rn2f4ch81g7qv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.