ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skylv Dependency Updater

v1.0.0

Auto-checks and updates outdated dependencies. Shows changelogs and breaking changes before updating. Triggers: update dependencies, upgrade packages, check...

0· 96·0 current·1 all-time
by@sky-lv

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sky-lv/skylv-dependency-updater.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skylv Dependency Updater" (sky-lv/skylv-dependency-updater) from ClawHub.
Skill page: https://clawhub.ai/sky-lv/skylv-dependency-updater
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install sky-lv/skylv-dependency-updater

ClawHub CLI

Package manager switcher

npx clawhub@latest install skylv-dependency-updater
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: it scans for package manifests and runs package-manager checks. However, the metadata lists no required binaries or config paths while the SKILL.md expects npm, pip, cargo, go (and implicitly git and test runners) to be available. The lack of declared runtime dependencies is a documentation/incoherence issue.
!
Instruction Scope
Instructions direct the agent to detect package managers by reading project files (package.json, pyproject.toml, etc.), run commands that may contact registries (npm outdated, pip list --outdated, cargo outdated), run tests after each update, and commit changes. Running tests and committing changes executes code and writes to the repository — reasonable for an updater but high-privilege. The SKILL.md doesn't require explicit user confirmation, sandboxing, or safety checks before executing these actions.
Install Mechanism
Instruction-only skill with no install spec, so nothing is written to disk by the skill itself. This is lowest install risk. However, some referenced tools (e.g., cargo-outdated) may be third-party subcommands not present by default; the skill doesn't explain how to obtain them.
Credentials
The skill requests no environment variables or credentials, which is consistent at face value. In practice, updating packages in projects that use private registries may require auth tokens (npm, pip indexes) or git credentials to push commits; the SKILL.md does not mention or justify access to such credentials or how they will be used.
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence. It does not request system-wide configuration changes or access to other skills' configs.
What to consider before installing
This skill appears to do what it says, but it has gaps and potential risks you should consider before enabling it: - The SKILL.md instructs the agent to read project files, run package-manager commands, run tests, and make git commits. Those are reasonable for a dependency updater but are high-privilege operations because tests and scripts in a repo can execute arbitrary code. - The skill metadata did not declare required binaries (npm, pip, cargo, go, git, test runners) or mention how it handles private registries/auth tokens. Expect runtime failures or unexpected behavior if those tools/credentials are missing. - Ask or require the agent to prompt for explicit confirmation before making any updates, running tests, or committing changes. Prefer running updates in a disposable/sandboxed environment and creating backups or branches before changes. - If your projects use private package registries or require git push access, consider restricting which credentials the skill can use and only provide scoped tokens if you decide to proceed. - If you are not comfortable with the agent running tests or committing changes autonomously, do not enable autonomous invocation for this skill and require manual review of its report before any update actions. If the publisher can (a) declare required binaries, (b) describe credential usage and confirmation prompts, and (c) document sandboxing/testing safeguards, the risk would be much lower.

Like a lobster shell, security has layers — review code before you run it.

latestvk975fasd46jpppkgtpzfnprky58568bj
96downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@sky-lv
latest
Download

Dependency Updater

Overview

Scans project dependencies and checks for updates, shows changelogs, identifies breaking changes.

When to Use

  • User asks to "update dependencies" or "check for updates"
  • Regular maintenance

How It Works

Step 1: Detect package manager

package.json -> npm pyproject.toml -> pip Cargo.toml -> cargo go.mod -> go

Step 2: Check outdated

npm: npm outdated --json pip: pip list --outdated --format=json cargo: cargo outdated

Step 3: Risk assessment

Patch (1.2.3 -> 1.2.4): Low risk - auto-update Minor (1.2.3 -> 1.3.0): Medium - show changelog Major (1.2.3 -> 2.0.0): High - show breaking changes

Output Format

Major Updates: express 4.17.1 -> 5.0.0 [BREAKING changes] Minor Updates: axios 0.21.1 -> 0.21.4 [Bug fixes] Patch Updates: debug 4.3.1 -> 4.3.4 [Security patch]

Update Strategy

  1. Show report first - never update blindly
  2. Update in stages: patches -> minors -> majors
  3. Run tests after each update
  4. Commit each update separately

Comments

Loading comments...