ClawHub

OpenClaw Version Monitor

v2.0.2

Check OpenClaw release notes from GitHub, show highlights and categorized changes translated to the user's language.

1· 41·0 current·0 all-time
byJeff@tjefferson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md explicitly fetches releases from the openclaw/openclaw GitHub repo and summarizes/translates them. The declared primary credential (GITHUB_TOKEN) is appropriate for interacting with the GitHub API.
Instruction Scope
Instructions only call the GitHub REST API (curl examples) and operate on release JSON fields (tag_name, published_at, prerelease, author.login, html_url, body). They do not instruct reading local files, other env vars, or sending data to unrelated endpoints. Translation and filtering behavior is narrowly scoped to the release content.
Install Mechanism
No install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill design is proportionate: it optionally uses GITHUB_TOKEN to raise GitHub API rate limits. The registry metadata shows GITHUB_TOKEN as primaryEnv while 'required env vars' is empty — this is acceptable because the token is optional (used only to increase rate limits), but the metadata could be clearer about optional vs required. No other secrets or unrelated environment variables are requested.
Persistence & Privilege
always is false and there is no install-time persistence. The skill can be invoked by the agent (normal behavior) but is not force-enabled globally.
Assessment
This skill appears to do exactly what it says: query OpenClaw release notes on GitHub, condense and translate them. If you plan to set GITHUB_TOKEN, prefer a token with minimal scope (for public repos no special scopes are needed) and avoid exposing organization-wide or high-privilege tokens. Because the skill source and homepage are unknown, consider whether you trust the skill publisher before granting any token; you can also use it without a token (rate-limited) or create a limited-purpose token. Finally, verify outputs against the GitHub release page when acting on upgrade or security-critical information.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751yve9xra218veby6f9by9x841y7a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Primary envGITHUB_TOKEN

Comments