ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Update Litiao

v1.0.0

Safely update skills with preview, migration support, and user validation. Never lose data or break workflows.

0· 97·1 current·1 all-time
by@litiao1224
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to manage safe updates, previews, and migrations — which aligns with the instructions — but the runtime instructions call out npx clawhub commands and reading/writing the user's ~/.clawhub skill folders without listing any required binaries or config paths. Also _meta.json uses a different slug/ownerId than the registry metadata, which is an unexpected packaging inconsistency.
Instruction Scope
SKILL.md, migrate.md, and preview.md explicitly instruct the agent to read skill files, copy/move folders, run diffs, and back up/restore from ~/.clawhub and /tmp. Those actions are coherent for an updater, but they require file-system access to user skill data and the ability to run external commands (npx). The instructions emphasize seeking user approval before destructive actions, which is good, but they do assume the agent can read and write in those paths.
Install Mechanism
This is instruction-only with no install spec and no code files — lowest install risk. There is no archive download or external installation declared.
Credentials
The skill declares no credentials, environment variables, or config paths. The actions described (reading/moving skill files under ~/.clawhub, copying to /tmp/backups, running npx) are proportional to an updater's purpose, but the skill should have declared that it expects npx (or Node/npm) and access to the ~/.clawhub paths.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. It does instruct keeping backups for days and restoring them when requested — appropriate for an updater and scoped to its own backup path. No instructions modify other skills' configs beyond backing up/restoring their folders (which is expected for this function).
What to consider before installing
This appears to be a reasonable instruction-only 'skill updater' but check three things before installing: (1) Confirm who published it — _meta.json slug/owner differ from the registry record (could be packaging error or misattribution). (2) Ensure the agent environment includes Node/npm/npx if you expect the helper to run the npx clawhub commands (the skill does not declare required binaries). (3) Be comfortable with the updater reading and writing ~/.clawhub and /tmp (backups/migrations). Ask the publisher to clarify the metadata mismatch, and test the preview flow on a non-critical skill or in a disposable environment to verify it only reads the intended folders and asks for explicit approval before any destructive changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fxy3azwdhmh6hj2pecn2k1832qft

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Safe Skill Updates

Core principle: Never update without user understanding and approval.

Updates can break things:

  • Changed file locations → data loss
  • Removed features → broken workflows
  • New requirements → unexpected behavior
  • Changed data formats → incompatible state

References:

  • Read preview.md — Diff and impact analysis
  • Read migrate.md — Data migration strategies

Update Flow

  1. Check — Are updates available?
  2. Preview — What changes? How does it affect user?
  3. Explain — Present changes step-by-step
  4. Confirm — User explicitly approves
  5. Backup — Save current state
  6. Update — Apply new version
  7. Verify — Confirm everything works

Checking for Updates

npx clawhub outdated           # List skills with updates
npx clawhub info <slug>        # Show available versions

Proactive notification: When user mentions a skill, check if update exists. Mention it once, don't nag.

Preview Before Update

⚠️ Never update without showing impact first.

For each changed file:

  1. Show what's different (added/removed/modified)
  2. Explain how it affects user's workflow
  3. Flag breaking changes prominently

Breaking change indicators:

  • File/folder structure changes
  • Removed instructions or features
  • New required setup steps
  • Changed data format expectations

User Validation

Present changes in digestible format:

"Skill X has v2.0.0 available. Changes:

⚠️ Breaking: Config now in config.md (was in SKILL.md) Added: New templates/ folder with examples Removed: Old legacy.md no longer needed

Migration needed: Your saved preferences need to move. I can help migrate. Proceed?"

Only update after explicit "yes".

Backup Strategy

Before ANY update:

  1. Copy current skill folder to ~/.clawhub/backups/<slug>-<version>-<timestamp>/
  2. Note the backup location in response
  3. If update fails → offer restore

Handling Migrations

When data format changes:

  1. Detect user's current data (preferences, saved state)
  2. Explain what needs to migrate
  3. Propose migration steps
  4. Execute only with approval
  5. Verify migrated data works

See migrate.md for patterns.

Rollback

If update causes problems:

"Something's not working? I have a backup from before the update.
Want me to restore skill X to v1.2.3?"

Keep backups for at least 7 days or until user confirms new version works.

Updates should feel safe, not scary. User stays in control.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…