Clawhub Smart Updater
WarnAudited by ClawScan on May 10, 2026.
Overview
This updater has a legitimate purpose, but it can automatically rewrite installed skill files across your workspace and contains unsafe command construction, so it should be reviewed before use.
Only install this if you are comfortable with a tool that can modify installed skills. Before use, run it in dry-run mode, disable auto_apply_safe, update one skill at a time, manually review SKILL.md/JSON/config changes, confirm a real rollback process exists, and avoid scheduling weekly automation until the shell-command handling is fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A faulty or malicious upstream skill update could change multiple installed skills and affect future agent behavior before the user reviews every change.
The documented workflow can apply updates across all installed skills, not just a single user-selected skill, so a bad or unsafe update can propagate across the local agent environment.
# 1. Check all installed skills for updates ... - Apply safe changes automatically - Flag conflicts for manual review
Make dry-run the default, require explicit approval per skill and per file, and strongly prefer updating one selected slug at a time.
An update to SKILL.md, README.md, skill.json, or config.json could alter a skill's instructions or behavior without meaningful review.
In OpenClaw skills, Markdown and JSON files can contain agent instructions, metadata, configuration, and permissions; treating them as automatically safe can persistently change what future agents read and follow.
if rel_path.endswith(('.md', '.txt', '.json')):
# Documentation and configs are usually safe
safe_files.append({Do not auto-apply instruction-bearing files such as SKILL.md, README.md, skill.json, or config files; require manual diff review for those files.
A malformed or malicious skill slug could potentially run commands with the user's local permissions.
The script runs shell commands built from interpolated slug values. If a slug or argument contains shell metacharacters, this pattern can execute unintended local commands.
result = subprocess.run(
cmd,
shell=True,
...
success, output = self.run_command(f"clawhub inspect {slug}")Use subprocess.run with an argument list and shell=False, and validate slugs against a strict allowlist such as letters, numbers, dashes, and underscores.
Users may believe an easy rollback tool exists when it is not actually included in the reviewed artifacts.
The documentation promises a restore-backup.py rollback tool, but the provided file manifest does not include that file, weakening the stated safety and rollback story for an updater that mutates installed skills.
# The skill installs: # - smart-update.py (main updater script) # - restore-backup.py (rollback tool) # - config.json (configuration)
Include the rollback tool in the package or remove the claim and document a verified manual restore procedure.
Users or reviewers could over-trust the author's safety statement despite the updater's broad mutation authority.
The package includes a self-vetting report with strong safety claims and an explicit request to mark it safe; this is not runtime behavior, but it should not replace independent review.
Security Status: ⚠️ SUSPICIOUS (False Positive) ... Action requested: Change status from "Suspicious" to "Safe" after manual review.
Base the install decision on the actual code, scope, and update controls rather than the included self-assessment.