ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Update Approval Guard

v1.0.0

Use this skill when the user wants scheduled update checks for OpenClaw and installed skills, but does not want automatic mutation. The skill performs dry-ru...

0· 239·1 current·1 all-time
byHIIC-Wayne@waytobetter619

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for waytobetter619/update-approval-guard.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Update Approval Guard" (waytobetter619/update-approval-guard) from ClawHub.
Skill page: https://clawhub.ai/waytobetter619/update-approval-guard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install update-approval-guard

ClawHub CLI

Package manager switcher

npx clawhub@latest install update-approval-guard
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a narrow updater that only needs the local openclaw/clawhub commands and workspace storage. However the published package contains dozens of other skill directories, scripts, config files, and baked-in tokens (e.g., feishu app_token, mcporter Bearer tokens, instreet api_key). Those extras are unrelated to a simple update-checker and increase the attack surface and data exposure risk.
!
Instruction Scope
The SKILL.md itself is tightly scoped (dry-run checks, create pending-update.json, apply only on explicit approval). But other included files (AGENTS.md, SOUL.md, memory files) instruct agents to read workspace memory and user files on startup. The package-level instructions encourage reading many files (MEMORY.md, USER.md, etc.), which is scope creep relative to an update-approval helper and could leak sensitive context during scheduled tasks.
!
Install Mechanism
There is no formal install spec (instruction-only), which normally limits risk — but the bundle contains a publish.sh and an UPDATE-APPROVAL-GUARD-PUBLISH.md that describe an automated publish workflow (git init, push to GitHub, publish to ClawHub). That behavior could exfiltrate workspace code or metadata if the script is run. Also many auxiliary scripts and backups are bundled unnecessarily with the single-skill description.
!
Credentials
The skill declares no required env vars or credentials, but the repository includes multiple files with hard-coded tokens and API keys (e.g., config/industry_news_config.json app_token, config/mcporter.json Bearer tokens, instreet api_key). These credentials are unrelated to the update-check workflow and indicate either accidental leakage or an incoherent package composition.
Persistence & Privilege
always is false (good). Model invocation is enabled (default). There is no declared behavior that forces permanent installation, but embedded files/instructions (publish script, cron example) could be used to create persistent cron jobs or publish code if an operator runs them. Autonomous cron-triggered agent turns could read workspace files; combined with the other issues this increases blast radius.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Prompt-injection pattern detected in package SKILL.md pre-scan signals. The update-checker does not need to alter system prompts; presence of these patterns is unexpected and worth manual review.
[you-are-now] unexpected: Another pre-scan prompt-injection indicator. Not expected for a narrow update-approval skill; inspect SKILL.md/AGENTS.md for attempt to override agent role or system prompts.
[system-prompt-override] unexpected: Detected pattern suggests instructions that may try to change the agent/system prompt. This is unrelated to scheduled update checks and should be reviewed.
What to consider before installing
This skill's behavior (check-only then apply after explicit approval) is reasonable, but the provided bundle contains many unrelated scripts, other skills, and hard-coded tokens. Before installing: 1) Inspect publish.sh and do not run it unless you trust it — it may git-init and push code. 2) Search the package for hard-coded secrets (app tokens, API keys) and remove/rotate any you find. 3) Verify cron job creation is performed in an isolated session and that the scheduled job cannot leak workspace files or push to external repos. 4) Review AGENTS.md/SOUL.md behavior: they instruct agents to read memory and user files — ensure that scheduled checks won’t expose sensitive memory to external channels. 5) If you only want the update-check logic, extract and install just the SKILL.md and example cron payload (avoid running publish scripts and unrelated code). If you’re unsure, test in a sandbox workspace (no real credentials) or decline installation until the package is cleaned.
scripts/ocean_daily_news.mjs:100
Shell command execution detected (child_process).
skills/hiic-industry-daily-report/scripts/subscription-manager.mjs:145
Shell command execution detected (child_process).
scripts/industry_daily_news.mjs:86
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/content-extractor.mjs:12
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/generate-report.mjs:116
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/search-aggregator.mjs:49
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/summarize-content.mjs:26
Environment variable access combined with network send.
skills/tavily-search/scripts/extract.mjs:18
Environment variable access combined with network send.
skills/tavily-search/scripts/search.mjs:42
Environment variable access combined with network send.
!
skills/feishu-agent-mesh/scripts/relay-config.json:11
Install source points to URL shortener or raw IP.
!
scripts/industry_daily_news.mjs:26
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/feishu-bitable-saver.mjs:7
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/save-to-bitable.mjs:8
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/search-aggregator.mjs:20
File read combined with network send (possible exfiltration).
!
skills/instreet/scripts/heartbeat.mjs:7
File read combined with network send (possible exfiltration).
!
skills/proactive-agent.backup.20260311_152420/assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent.backup.20260311_152420/references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent.backup.20260311_152420/SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a28agtyy8v4fj1n4s7dzsf1836cf2
239downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
HIIC-Wayne@waytobetter619
latest
Download

Update Approval Guard

This skill turns automatic updating into a safer two-step workflow:

  1. Scheduled check: inspect for OpenClaw and installed skill updates, save a pending plan, and ask the user for approval.
  2. Approved apply: only after the user explicitly confirms, execute the update commands and report the result.

Never apply updates automatically during the scheduled check.

When to use

Use this skill when the user asks to:

  • schedule update checks for OpenClaw or installed skills
  • review available updates before applying them
  • require human approval before running update commands
  • keep production instances stable while still checking daily for updates

Hard rules

  1. Never execute real update commands during the scheduled check.
  2. Never apply updates without explicit user confirmation.
  3. If there is no valid pending update plan, do not run updates.
  4. If the plan is expired, do not run updates. Ask the user to run a fresh check.
  5. Keep all state under the workspace data directory.
  6. Prefer dry-run or inspection commands for checks.
  7. After approved updates, always run a health check.
  8. Be transparent. Summarize what will change before asking for approval.
  9. If a command fails, stop and report clearly.

State directory

Store data under:

<workspace>/data/update-approval-guard/

Use these files:

  • pending-update.json
  • history.json

Pending plan shape

Use this structure for pending-update.json:

{
  "createdAt": "2026-03-13T00:00:00+08:00",
  "expiresAt": "2026-03-14T00:00:00+08:00",
  "status": "pending_confirmation",
  "summary": "Detected 1 OpenClaw update and 2 skill updates.",
  "openclaw": {
    "current": "2026.3.8",
    "latest": "2026.3.9",
    "hasUpdate": true
  },
  "skills": [
    {
      "name": "some-skill",
      "current": "1.0.0",
      "latest": "1.0.1",
      "hasUpdate": true
    }
  ],
  "approved": false,
  "approvedAt": null,
  "approvedBy": null
}

Scheduled check behavior

When the user asks to enable the daily scheduled check, create an isolated cron job that runs every day at 00:00 Asia/Shanghai.

The scheduled job must do the following:

  1. Ensure <workspace>/data/update-approval-guard/ exists.
  2. Check whether a non-expired pending plan already exists.
  3. If a non-expired pending plan already exists, do not overwrite it. Inform the user that approval is still pending.
  4. Inspect whether OpenClaw has an available update.
  5. Inspect whether installed skills have available updates.
  6. If there are no updates, report that everything is current and do not create a pending plan.
  7. If updates are found, create pending-update.json with a 24-hour expiry.
  8. Mark the plan as pending_confirmation.
  9. Send a concise summary and ask the user to confirm.
  10. Do not run any real update command in this phase.

Recommended scheduled cron message

Use wording equivalent to:

Check for updates to OpenClaw and all installed skills.

Rules:
1. Run check-only commands. Do not apply updates automatically.
2. Create <workspace>/data/update-approval-guard/pending-update.json only when updates are found.
3. Include current version, latest version, and whether each item has an update.
4. Set status to pending_confirmation and expiry to 24 hours after creation.
5. If a non-expired pending plan already exists, keep it and report that approval is still pending.
6. If there are no updates, report that everything is current.
7. Ask the user to confirm before any update can be executed.
8. Never run the actual update command during this scheduled check.

User approval behavior

When the user sends an approval message such as:

  • 确认执行更新
  • 确认更新
  • 批准更新
  • approve updates
  • apply pending updates

perform this workflow:

  1. Read <workspace>/data/update-approval-guard/pending-update.json.
  2. Verify the file exists.
  3. Verify status is pending_confirmation.
  4. Verify the plan has not expired.
  5. Verify there is at least one update to apply.
  6. Record approval metadata.
  7. Execute the real update commands.
  8. Run openclaw doctor after updates.
  9. Append a result entry to history.json.
  10. Mark the pending plan as completed or failed.
  11. Return a clear summary of what changed.

If there is no pending plan, say there is nothing to approve.

If the plan is expired, say it expired and a fresh check is required.

Command strategy

The local command available on this machine is openclaw.

Use the following command policy.

Check phase

Use safe inspection commands only.

For skills:

clawhub update --all --dry-run

For OpenClaw:

  • Prefer a non-mutating version or update-check command if available in the local installation.
  • If there is no dedicated check-only command, inspect the locally installed version and compare it using the safest available non-mutating mechanism.
  • Do not upgrade OpenClaw during the scheduled phase.

Apply phase

Only after explicit approval, use the real update commands.

For skills:

clawhub update --all

For OpenClaw:

  • Use the real update command that matches the local installation method.
  • If openclaw update is available in the environment, use it.
  • If the installation uses npm or another package manager, use the correct local update procedure.

Post-update health check

After approved updates:

openclaw doctor

If a safe fix mode is explicitly requested and supported, you may use it. Otherwise prefer the plain health check.

Cron defaults

When the user asks to set up the schedule and does not specify otherwise, use:

  • time: 00:00
  • timezone: Asia/Shanghai
  • session target: isolated
  • delivery: announce
  • light context: true for routine checks unless the job clearly needs full bootstrap context

Suggested cron configuration

Use the Cron Jobs capability with settings equivalent to:

  • name: Daily Update Approval Check
  • schedule: 0 0 * * *
  • timezone: Asia/Shanghai
  • sessionTarget: isolated
  • payload.kind: agentTurn
  • delivery.mode: announce
  • payload.lightContext: true

Human-facing summaries

Updates found

Use wording like:

检测到 OpenClaw 本体和已安装 skills 的可用更新,已生成待更新计划,默认不会自动执行。若需执行,请回复:确认执行更新

No updates

Use wording like:

当前 OpenClaw 与已安装 skills 均为最新版本,无需更新。

Approval success

Use wording like:

已根据你的确认执行更新。OpenClaw 更新状态:成功。Skill 更新状态:成功。健康检查已完成。

Plan expired

Use wording like:

待更新计划已过期,未执行任何更新。请先重新检查更新。

Failure handling

If any step fails:

  1. Stop immediately.
  2. Record the failure in history.json.
  3. Report the exact failing step.
  4. Never claim success when updates were not fully applied.

Common failure causes:

  • no network
  • permission denied
  • clawhub missing
  • update command unavailable
  • pending plan missing
  • pending plan expired
  • doctor failed

Design intent

This skill is intentionally conservative. It is meant for operators who want the visibility of automatic update checks but want to keep change approval in human hands.

Comments

Loading comments...