ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaopi Auto Updater

v1.0.0

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of w...

0· 97·1 current·1 all-time
byAdin@a-din·duplicate of @gwsq/auto-updater-1-0-0-1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for a-din/xiaopi-auto-updater.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Xiaopi Auto Updater" (a-din/xiaopi-auto-updater) from ClawHub.
Skill page: https://clawhub.ai/a-din/xiaopi-auto-updater
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaopi-auto-updater

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaopi-auto-updater
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (daily auto-update of Clawdbot and installed skills) matches the runtime instructions: add a cron job, run clawdbot update/doctor, and run clawdhub update --all. Required permissions (writing under ~/.clawdbot, running package managers, possibly elevated privileges for global npm/pnpm installs) are consistent with the task. However the registry metadata (_meta.json ownerId/slug) does not match the registry metadata provided, and the package has no homepage or source URL — this discrepancy is unexpected and worth verifying with the publisher.
Instruction Scope
SKILL.md and references instruct the agent to examine installation type (checking ~/.clawdbot, /opt), create a script at ~/.clawdbot/scripts/auto-update.sh, log to ~/.clawdbot/logs/, and run global package manager commands and clawdhub. All of these actions are within scope for an updater. The instructions do not reference unrelated system paths, external upload endpoints, or extra environment variables. Still, the script will execute arbitrary package updates (npm/pnpm/bun) which can change code and behavior — so reviewing the exact commands and the registries they pull from is important.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to install from remote URLs, which minimizes supply-chain risk from the skill bundle itself. The updater relies on existing system tools (clawdbot, clawdhub, npm/pnpm/bun) rather than downloading code from arbitrary URLs.
Credentials
The skill declares no required environment variables, credentials, or config paths. The runtime instructions use $HOME and check local paths (e.g., ~/.clawdbot) which is proportional to an updater. There is no request for unrelated secrets or external tokens.
Persistence & Privilege
The skill recommends adding a cron job (persistence appropriate for periodic updates). It does not set always:true and does not demand permanent elevated privileges in its manifest. However, the cron job will run commands capable of performing system-wide updates (including global npm updates), so consider the privilege context (which user runs the cron) and whether updates should be limited or reviewed.
What to consider before installing
What to check before installing: - Verify publisher & metadata: the skill bundle lacks a homepage/source and the included _meta.json ownerId/slug differs from the registry metadata — confirm you trust the account that published this skill. - Review the script before enabling: the helper script (~/.clawdbot/scripts/auto-update.sh) is created and will run package manager and clawdhub commands. Open and read it to ensure it does nothing unexpected. - Run a dry-run first: use `clawdhub update --all --dry-run` and test the commands manually before enabling cron to see what would change. - Limit privilege & scope: run the cron under an isolated user/session (the skill already suggests --session isolated) and avoid running global package managers as root unless you understand the implications. - Backup & logging: ensure backups exist and retain the update log (~/.clawdbot/logs/auto-update.log) so you can inspect changes and recover if an update introduces issues. - Consider restricting updates to trusted skills: automatic updates can introduce new code; if you rely on sensitive skills, prefer manual review or whitelist-only updates. Why I flagged this as suspicious rather than benign: the runtime behavior is coherent with the described purpose, but missing source/homepage and inconsistent metadata raise provenance concerns — those should be resolved before you allow automatic updates to run.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔄 Clawdis
OSmacOS · Linux
latestvk976vym64arfjwx3572n20f6rs83rbge
97downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
macOS, Linux
Adin@a-din
latest
Download

Auto-Updater Skill

Keep your Clawdbot and skills up to date automatically with daily update checks.

What It Does

This skill sets up a daily cron job that:

  1. Updates Clawdbot itself (via clawdbot doctor or package manager)
  2. Updates all installed skills (via clawdhub update --all)
  3. Messages you with a summary of what was updated

Setup

Quick Start

Ask Clawdbot to set up the auto-updater:

Set up daily auto-updates for yourself and all your skills.

Or manually add the cron job:

clawdbot cron add \
  --name "Daily Auto-Update" \
  --cron "0 4 * * *" \
  --tz "America/Los_Angeles" \
  --session isolated \
  --wake now \
  --deliver \
  --message "Run daily auto-updates: check for Clawdbot updates and update all skills. Report what was updated."

Configuration Options

OptionDefaultDescription
Time4:00 AMWhen to run updates (use --cron to change)
TimezoneSystem defaultSet with --tz
DeliveryMain sessionWhere to send the update summary

How Updates Work

Clawdbot Updates

For npm/pnpm/bun installs:

npm update -g clawdbot@latest
# or: pnpm update -g clawdbot@latest
# or: bun update -g clawdbot@latest

For source installs (git checkout):

clawdbot update

Always run clawdbot doctor after updating to apply migrations.

Skill Updates

clawdhub update --all

This checks all installed skills against the registry and updates any with new versions available.

Update Summary Format

After updates complete, you'll receive a message like:

🔄 Daily Auto-Update Complete

**Clawdbot**: Updated to v2026.1.10 (was v2026.1.9)

**Skills Updated (3)**:
- prd: 2.0.3 → 2.0.4
- browser: 1.2.0 → 1.2.1  
- nano-banana-pro: 3.1.0 → 3.1.2

**Skills Already Current (5)**:
gemini, sag, things-mac, himalaya, peekaboo

No issues encountered.

Manual Commands

Check for updates without applying:

clawdhub update --all --dry-run

View current skill versions:

clawdhub list

Check Clawdbot version:

clawdbot --version

Troubleshooting

Updates Not Running

  1. Verify cron is enabled: check cron.enabled in config
  2. Confirm Gateway is running continuously
  3. Check cron job exists: clawdbot cron list

Update Failures

If an update fails, the summary will include the error. Common fixes:

  • Permission errors: Ensure the Gateway user can write to skill directories
  • Network errors: Check internet connectivity
  • Package conflicts: Run clawdbot doctor to diagnose

Disabling Auto-Updates

Remove the cron job:

clawdbot cron remove "Daily Auto-Update"

Or disable temporarily in config:

{
  "cron": {
    "enabled": false
  }
}

Resources

Comments

Loading comments...