safe-update
v1.0.6Update OpenClaw from source code. Supports custom project path and branch. Includes pulling latest branch, rebasing, building and installing, restarting serv...
⭐ 2· 573·1 current·1 all-time
byAIWareTop@hacksing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description align with the included script and SKILL.md: it updates OpenClaw from source, backups config, fetches upstream (GitHub), builds, installs globally, and restarts the gateway. Minor inconsistencies: SKILL.md warns about 'git rebase' and 'git push --force' while the provided script uses 'git merge' (no force-push). SKILL.md also mentions 'openclaw daemon install --force' in one section although the script does not run that command. These are likely documentation/script drift rather than malicious behavior.
Instruction Scope
Instructions and script operate on the project directory and user config (~/.openclaw), check git state, build with npm, and restart the per-user systemd service — all expected for an updater. They do not access unrelated system areas or exfiltrate data. The script will copy local config files to ~/.openclaw/backups and may require elevated privileges for global npm install; it prompts the user before destructive steps. The documentation suggests rebase/force-push workflows that are not implemented in the script, so behavior should be reviewed before running if you expect rebase semantics.
Install Mechanism
This is an instruction-only skill with an included shell script; there is no installer that downloads arbitrary executables from untrusted URLs. The only external network operation is a git fetch from the GitHub repository upstream, which is expected for a source update.
Credentials
No secret or credential environment variables are required. Optional vars (OPENCLAW_PROJECT_DIR, OPENCLAW_BRANCH, DRY_RUN) are appropriate for configuring the updater. The script reads/writes only user-local config under $HOME and uses system commands (git, npm, node, systemctl) appropriate to the task.
Persistence & Privilege
Skill does not request persistent privileges or 'always' inclusion. It restarts the per-user openclaw service (systemctl --user restart) as expected for applying an update. It does not modify other skills or system-wide settings beyond reinstalling/updating the OpenClaw service.
Assessment
This skill appears to do what it says, but review and take precautions before running it: 1) Run with DRY_RUN=true first to see planned actions. 2) Verify the upstream remote (https://github.com/openclaw/openclaw.git) is the correct/trusted repository. 3) Back up ~/.openclaw (script does this) and ensure you have commits/stashes for local changes. 4) Note that 'npm i -g .' may require sudo and will install globally; consider running in a controlled environment. 5) The SKILL.md mentions rebase/force-push workflows and a daemon reinstall step that the script does not perform — if you need rebase behavior, inspect/modify the script accordingly. 6) If you are not comfortable with the commands, run the script step-by-step manually rather than allowing an automated run.Like a lobster shell, security has layers — review code before you run it.
latestvk97fjmwn6f0rvvxtrb9xdtgpzd821jcv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.