ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Version Drift Publish

One command to check if your entire stack is up to date. SSHes into servers, queries APIs, and compares installed versions against latest — across every serv...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@rtaylorgraham
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description say it will SSH, call HTTP APIs, and run local commands to discover versions; the included config examples and drift.py implement exactly that. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and drift.py permit executing arbitrary shell commands on local and remote hosts, fetching arbitrary HTTP endpoints, and saving state to a local file. That is necessary for the stated goal, but it gives the script high power — any command you place in config.yaml will be executed.
Install Mechanism
There is no install spec and no remote downloads; this is an instruction-only skill with an included Python script. It optionally uses pyyaml if installed but falls back to JSON. No high-risk installers or external archives are pulled.
!
Credentials
The skill declares no required env vars but reads environment variables at runtime (expand_env, and optional GITHUB_TOKEN for GitHub API rate limits). config.example.yaml shows placeholders like ${HA_TOKEN} and ${API_KEY}. The skill will expand and use any env var referenced in your config, so it can access secrets you place into environment variables even though none are listed in the metadata.
Persistence & Privilege
Not always-included and not auto-installed. The tool writes a local state file (default state.json) to track drift and uses SSH with StrictHostKeyChecking=accept-new by default (trust-on-first-use). Both behaviors are normal for this tool but worth noting for operational security.
Assessment
This skill is coherent with its stated purpose, but it is powerful: it will run arbitrary shell commands locally and over SSH and will issue HTTP requests to any URL you configure. Before you install or run it: (1) review config.yaml carefully — any command in 'installed' will be executed; (2) keep secrets minimal and put them in environment variables with least-privilege tokens (the script will expand and use any ${VAR} you reference); (3) prefer a non-root SSH user with read-only permissions where possible; (4) be aware it writes a state file (state.json) in the working directory; (5) consider running first in a sandbox or CI runner with limited credentials; (6) if you need stronger SSH host verification, explicitly set strict_host_key in your config instead of using the default accept-new. If you want further checks, provide the full drift.py for deeper code review (the supplied snippet is large but truncated in places).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.1
Download zip
devopsvk977e9vqhgg8semcxxpc1e3fr9831zv3drift-detectionvk977e9vqhgg8semcxxpc1e3fr9831zv3homelabvk977e9vqhgg8semcxxpc1e3fr9831zv3infrastructurevk977e9vqhgg8semcxxpc1e3fr9831zv3latestvk973tktcy2h64gs08vj4z00w7s831tgqmonitoringvk977e9vqhgg8semcxxpc1e3fr9831zv3self-hostedvk977e9vqhgg8semcxxpc1e3fr9831zv3updatesvk977e9vqhgg8semcxxpc1e3fr9831zv3version-managementvk977e9vqhgg8semcxxpc1e3fr9831zv3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

SKILL.md

Version Drift

One command. Your entire stack. Are you current?

You run things. Lots of things. Docker on a VPS. Node.js on a web server. Home Assistant on a Pi. Postgres in a container. Python on your laptop. They each update on their own schedule, and you check them... sometimes. Usually after something breaks.

Version Drift fixes that. It SSHes into your servers, queries your APIs, runs local commands, and compares what's actually installed against what's latest available. One config file. One command. One answer.

$ python3 drift.py check

Version Drift Report — 2026-03-16 08:30 UTC

Host             Check          Installed    Latest       Status
─────────────────────────────────────────────────────────────────
web-1            node           20.11.0      22.14.0      🔴 MAJOR
web-1            redis          7.2.4        7.4.2        ⚠️  DRIFT
nas              docker         27.5.1       28.0.1       ⚠️  DRIFT
home-assistant   core           2026.2.5     2026.3.3     ⚠️  DRIFT
this-machine     python         3.13.1       3.13.1       ✅ CURRENT
this-machine     openclaw       2026.3.13    2026.3.13    ✅ CURRENT

Summary: 2/6 current · 3 drifting · 1 major

How is this different?

  • Dependency scanners (npm audit, pip-audit) check your code. This checks your servers.
  • Release trackers tell you GitHub has a new release. This tells you your server is behind.
  • Uptime monitors tell you if something is running. This tells you if it's current.

Version Drift is the only tool that bridges the gap between "a new version exists" and "my infrastructure is running it."

How it works

  1. You write a config.yaml listing your hosts and what to check
  2. For each check, you tell it:
    • How to get the installed version (a shell command, or an API endpoint)
    • Where to find the latest version (GitHub, npm, PyPI, Docker Hub, or any HTTP endpoint)
  3. Run python3 drift.py check and get a report

That's it. No agents to install on every server. No dashboards. No SaaS. Just a script and a config file.

Setup

pip install pyyaml          # optional — falls back to JSON config
cp config.example.yaml config.yaml
# Edit config.yaml with your hosts and checks
python3 drift.py check

What you can check

Anything you can get a version number from. The installed version comes from a shell command (local or SSH) or an API response. The latest version comes from one of these sources:

SourceExampleChecks
GitHub Releasesrepo: "grafana/grafana"Any open-source project with GitHub releases
npm Registrypackage: "next"Node.js packages
PyPIpackage: "django"Python packages
Docker Hubrepo: "library/postgres"Docker images
Custom HTTPurl: "https://..."Anything with a JSON API

Three ways to check installed versions:

MethodUse when
sshChecking a remote server you have SSH access to
httpChecking a service that exposes its version via API (Home Assistant, Grafana, Gitea, etc.)
localChecking the machine running the script

Example configs

The config.example.yaml includes four ready-to-adapt templates:

  1. Homelab stack — Docker, nginx, Postgres, Home Assistant, Python, Node
  2. Production/DevOps — web servers, Redis, PM2, API gateways
  3. Docker-heavy — Traefik, Grafana, Postgres containers
  4. Python/Data Science — PyTorch, CUDA, pip packages on GPU boxes

Delete the ones you don't need, uncomment the ones you do, fill in your details.

Commands

python3 drift.py check                      # table output
python3 drift.py check --json               # for crons and pipelines
python3 drift.py check --markdown           # for Discord, Slack, or docs
python3 drift.py check --changes            # include release notes for drifting items
python3 drift.py check --only web-1         # check one host only
python3 drift.py check --config /alt/path   # use a different config

State tracking

Version Drift saves results between runs. On repeat checks, you'll see how long something has been drifting:

web-1    node    20.11.0    22.14.0    🔴 MAJOR (since 12 days ago)

Changelogs

Add --changes to see what actually changed between your version and latest:

$ python3 drift.py check --changes

Host             Check          Installed    Latest       Status
─────────────────────────────────────────────────────────────────
web-1            node           20.11.0      22.14.0      🔴 MAJOR DRIFT
                                ↳ 20.11.0 → 22.14.0 (major version bump 20 → 22)
                                  22.14.0 — Notable changes: V8 13.5, require(esm) stable
                                  22.13.0 — Node.js 22.13.0 LTS 'Jod'
                                  21.7.0 — WebSocket client, import.meta.dirname
                                  ... and 12 more releases
this-machine     python         3.13.1       3.13.1       ✅ CURRENT

For GitHub-hosted projects, Version Drift fetches actual release notes between your installed version and latest. For npm and PyPI packages, it traces back to the GitHub repo automatically.

This makes extra API calls, so it's opt-in. Set GITHUB_TOKEN to avoid rate limits when checking many items.

Automate it

Run on a cron, pipe the markdown output to Discord or Slack, and never be surprised by stale versions again:

# Weekly drift report to Discord via OpenClaw cron
python3 drift.py check --markdown

Environment variables

Secrets go in env vars, not config files:

headers:
  Authorization: "Bearer ${HA_TOKEN}"    # expanded at runtime

Set GITHUB_TOKEN to avoid GitHub API rate limits (60 req/hr unauthenticated → 5,000 with token).

Security

Version Drift needs to talk to your servers — that's the whole point. Here's what it does and why:

  • Shell commands — Runs version-check commands locally via sh -c (e.g., docker --version). Commands come from your config file, not from external sources.
  • SSH — Connects to hosts listed in your config to run version-check commands remotely. Uses your existing SSH keys and config. Host key checking defaults to accept-new (trust on first use, reject if the key changes). Override per-host with strict_host_key: "yes" for stricter checking or "no" for legacy behavior.
  • HTTP requests — Fetches version info from APIs (GitHub, npm, PyPI, Docker Hub, your services). SSL verification is on by default; set verify_ssl: false per-host only if you use self-signed certs.
  • Environment variables — Expands ${VAR} references in your config so you can keep secrets out of the config file.

No data leaves your machine except the version-check requests you configure. No telemetry, no analytics, no phone-home.

Requirements

  • Python 3.8+
  • PyYAML (optional — can use config.json instead)
  • SSH access to remote hosts (for SSH checks)
  • That's it. No external services. No accounts. No agents to install.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…