Skills Updater
v1.1.0Automatically detect, backup, and update OpenClaw skills using caching, retry logic, dry-run mode, and detailed upgrade reports.
⭐ 0· 144·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Skills Updater) matches the included script and SKILL.md: it scans skill directories, detects versions, creates backups, and can fetch updates from a ClawHub API. The script’s declared search paths and backup/report locations are consistent with the updater purpose.
Instruction Scope
Instructions and the script operate on user home paths (~/.openclaw, ~/.openclaw/workspace, ~/Desktop) and create backups of entire skill directories. That is coherent for an updater, but note that backups will copy any files inside skills (including any secrets a skill may contain). The SKILL.md claims only ~/.openclaw/skills is scanned, while the script also checks several other directories (e.g., ~/OpenClaw/skills and ~/.openclaw/workspace/skills) — this is a minor mismatch you should be aware of.
Install Mechanism
No install spec; asset is instruction + Python script. Nothing is downloaded during install time; code runs from the skill directory when executed. This is low-risk from an install mechanism perspective.
Credentials
No environment variables or external credentials are requested. Network access is used only to query the ClawHub metadata and to download updates (per SKILL.md and script). That is appropriate for the stated purpose. There are no unrelated credentials requested.
Persistence & Privilege
The skill is not configured as always-enabled and does not request system-level persistence. It reads/writes files in the user’s home directories (cache, backups, workspace) which is expected for this utility.
Assessment
This updater appears to be internally consistent with its purpose, but review a few things before enabling automatic updates: 1) Run in --dry-run and/or --cache-only first to see what would change. 2) Inspect the included script (scripts/check-skill-updates.py) yourself to confirm behavior you’re comfortable with—it will copy entire skill directories to ~/Desktop/skill-backups. Backups can therefore include any secrets stored inside skills, so ensure you’re OK with that destination/permissions. 3) Verify the ClawHub base URL (script uses https://clawhub.ai) and that you trust that registry; network downloads happen when --auto is used. 4) There are multiple minor inconsistencies in metadata and docs (version numbers differ between SKILL.md, README.md, and _meta.json; README support URL differs from the script’s API host; some performance/metric claims appear exaggerated). These look like sloppy packaging rather than malicious intent but justify caution. 5) Keep automatic mode off until you’ve confirmed behavior locally; prefer dry-run and manual restore testing first.Like a lobster shell, security has layers — review code before you run it.
latestvk971k8z7q24v71b4w04wkgpza183v67m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.