ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Update Scout

Automate update tracking for OpenClaw and any other GitHub-released tools. Scout monitors your watchlist weekly, reviews release notes with a security lens,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 43 · 0 current installs · 0 all-time installs
by@ziggy2socks
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: scripts poll GitHub, summarize release notes, check issues, and manage a local watchlist. Required resources (local config files, optional GITHUB_TOKEN) are appropriate for this functionality.
Instruction Scope
SKILL.md tells the agent to run the included scripts which read/write ~/.config/scout and (for reviews) the skills directory (~/.openclaw/workspace/skills). This matches the stated purpose. Note: version detection supports running user-specified commands (detect.type=command) and npm/pip/file checks — running those commands is required to detect installed versions, but they will execute whatever command appears in the watchlist, so watchlist entries must be trusted.
Install Mechanism
No install spec; this is an instruction-only skill with shipped scripts. Nothing is downloaded or installed automatically by the skill itself.
Credentials
No required environment variables. GITHUB_TOKEN is referenced only as an optional token to increase GitHub API rate limits and is not stored. Requested env access is proportionate to the skill's use of the GitHub API.
Persistence & Privilege
The skill writes its own config under ~/.config/scout and reads the user's skills directory when reviewing skills; it does not request always:true or system-wide privileges. Be aware that scripts run subprocesses (npm, pip, or arbitrary detect commands) as the invoking user — do not run as root, and ensure watchlist entries are trusted. Autonomous model invocation is permitted by default on the platform; combined with the ability to add watchlist entries that run commands, that could lead to local command execution if misused by an agent.
Assessment
This skill appears internally consistent with its stated role as a GitHub release watcher and reviewer. Before installing: review the packaged scripts yourself (they are included) and confirm you trust the publisher (source is unknown). Be cautious about adding watchlist entries that use detect.type=command — the exact command you store will be executed on your machine when checking versions. Only set GITHUB_TOKEN if you understand it increases API rate limits (the skill does not store the token). Don't run the skill as root; restrict its use to a non-privileged account. If you plan to let the agent invoke the skill autonomously, consider whether you trust that agent to not add malicious watchlist entries or run the review scripts without your supervision.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.2
Download zip
automationvk971mdsp1491rzcnqhscp2qvqn82zwjkgithubvk971mdsp1491rzcnqhscp2qvqn82zwjklatestvk971mdsp1491rzcnqhscp2qvqn82zwjkmaintenancevk971mdsp1491rzcnqhscp2qvqn82zwjksecurityvk971mdsp1491rzcnqhscp2qvqn82zwjkself-improvementvk971mdsp1491rzcnqhscp2qvqn82zwjkupdatesvk971mdsp1491rzcnqhscp2qvqn82zwjk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Scout — Software Update Advisor

Scout monitors GitHub releases for watched tools, reviews release notes, assesses risk, and recommends whether to upgrade. It never installs anything without explicit approval.

Running a Check

python3 scripts/check_updates.py
# structured output:
python3 scripts/check_updates.py --json

Config is read from ~/.config/scout/watchlist.json. Created automatically on first run with openclaw as the default.

Adding a Tool (conversational)

When a user wants to add a tool, ask for:

  1. GitHub repo (e.g. owner/repo)
  2. How to detect the installed version (command, npm, pip, or file)

Then run:

python3 scripts/add_tool.py \
  --name "tool-name" \
  --repo "owner/repo" \
  --detect-type command \
  --detect-cmd "tool --version" \
  --version-prefix "v" \
  --notes "What this tool does"

See references/watchlist.md for supported detect types and examples.

Verifying a Release

Before recommending any upgrade, run the issue checker:

python3 scripts/verify_release.py --repo owner/repo --since YYYY-MM-DD

Reports bug-labeled issues and regression keywords created after the release date.

Skipping a Version

When a user decides to skip an update:

python3 scripts/skip_release.py --tool toolname --version v1.2.3 --reason "why"
# list skipped:
python3 scripts/skip_release.py --list
# un-skip:
python3 scripts/skip_release.py --clear --tool toolname

Skipped versions are stored in ~/.config/scout/skip_list.json and suppressed from future check_updates.py output.

Review Workflow

For every update found, produce a full recommendation card before asking for approval:

🔔 Update: <tool name> <installed> → <latest>
   Source: <GitHub repo> by <author/org>
   Released: <date>

Risk: 🟢/🟡/🔴 <level>

What changed:
- <plain-language summary>
- <note security fixes, breaking changes, new permissions>

Impact on our setup:
- <what this touches in config/workflow>
- <anything requiring config changes or re-auth>

Post-release issues: <none found / list any regressions>

Recommendation: <Upgrade now / Wait / Skip>
Reason: <one sentence>

Never ask "want me to upgrade X?" without the full card. The user needs enough context to decide without prior knowledge of the tool.

Risk levels:

  • 🟢 Low — patch/fix only, no config changes, no new permissions
  • 🟡 Medium — new features, minor config additions, optional breaking changes
  • 🔴 High — breaking changes, auth changes, schema migrations, security patches

After Approval

  1. Run the appropriate install command for the tool
  2. Validate config if applicable (openclaw config validate)
  3. Restart services if needed
  4. Confirm health

Skill Health Review

Periodically review your own skills against OpenClaw best practices:

python3 scripts/review_skills.py [--skills-dir /path/to/skills]

Checks each skill for structural issues and quality improvements. Reports findings — all changes require explicit approval before applying.

Periodic Use

Add to heartbeat or weekly cron. Recommended cadence: weekly (Sundays).

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…