ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Package Updater

v1.0.0

Auto-checks and updates outdated dependencies. Shows changelogs and breaking changes before updating. Triggers: update dependencies, upgrade packages, check...

0· 30·0 current·0 all-time
by@sky-lv·duplicate of @sky-lv/skylv-dependency-updater

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sky-lv/package-updater.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Package Updater" (sky-lv/package-updater) from ClawHub.
Skill page: https://clawhub.ai/sky-lv/package-updater
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install package-updater

ClawHub CLI

Package manager switcher

npx clawhub@latest install package-updater
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (auto-checks and updates dependencies) aligns with the instructions (detect package manager, run outdated checks, update in stages). However the metadata declares no required binaries while the runtime instructions expect npm, pip, cargo, go toolchain and git to exist. That mismatch is unexplained.
Instruction Scope
Instructions stay within the stated purpose (scanning manifests, running package manager outdated commands, assessing risk, updating, running tests, committing). They do not attempt to exfiltrate data or contact unexpected endpoints. Concerns: the doc is vague about where to run (project root detection), what test command to run, how to perform updates exactly (which update commands to invoke), and it assumes committing is acceptable and that a VCS exists. Those gaps grant broad agent discretion which could lead to unexpected changes if not constrained.
Install Mechanism
Instruction-only skill with no install spec or code files, so nothing is written to disk by the skill itself. This is low install risk.
!
Credentials
No environment variables or credentials are requested, which is appropriate. However the skill implicitly requires access to local developer tools (npm, pip, cargo, go, git) and network access to package registries; these are not declared in the metadata. That omission reduces transparency and could surprise users.
Persistence & Privilege
always:false and no install steps mean the skill does not request permanent privileged presence. It does instruct committing changes to the repository, which modifies user data, but this is normal for a dependency-updater if user consents.
What to consider before installing
This skill appears to do what it says, but the SKILL.md assumes tools (npm, pip, cargo, go, git) and test commands exist while the metadata declares none—ask the publisher to clarify required binaries and exact update/test/commit commands. Before running: (1) run it on a non-critical branch or clone, (2) ensure you have backups and CI or tests configured, (3) verify the tool will prompt for confirmation before applying major updates, and (4) prefer running manually the first time to review the generated report and changelogs. If you need higher assurance, request explicit declarations of required binaries, sample commands the skill will run, and whether it will push commits automatically or only prepare local commits for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk973sf8hrp8rq5yzqdb2epn68185mtvp
30downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@sky-lv
latest
Download

Dependency Updater

Overview

Scans project dependencies and checks for updates, shows changelogs, identifies breaking changes.

When to Use

  • User asks to "update dependencies" or "check for updates"
  • Regular maintenance

How It Works

Step 1: Detect package manager

package.json -> npm pyproject.toml -> pip Cargo.toml -> cargo go.mod -> go

Step 2: Check outdated

npm: npm outdated --json pip: pip list --outdated --format=json cargo: cargo outdated

Step 3: Risk assessment

Patch (1.2.3 -> 1.2.4): Low risk - auto-update Minor (1.2.3 -> 1.3.0): Medium - show changelog Major (1.2.3 -> 2.0.0): High - show breaking changes

Output Format

Major Updates: express 4.17.1 -> 5.0.0 [BREAKING changes] Minor Updates: axios 0.21.1 -> 0.21.4 [Bug fixes] Patch Updates: debug 4.3.1 -> 4.3.4 [Security patch]

Update Strategy

  1. Show report first - never update blindly
  2. Update in stages: patches -> minors -> majors
  3. Run tests after each update
  4. Commit each update separately

Comments

Loading comments...