Post-Upgrade Auto Repair
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: post-upgrade-repair Version: 1.0.0 The skill is classified as suspicious due to its extensive use of system commands (`execSync` in `check.mjs`, `install.mjs`), direct modification of critical configuration files (`~/.openclaw/openclaw.json` by `check.mjs`), and the creation of a persistent startup hook (`BOOT.md` by `install.mjs`) that executes local scripts. Furthermore, `run.mjs` reads API keys from `openclaw.json` and sends user-controlled input or diagnostic data to an external AI API, presenting a prompt injection vulnerability against the AI model. While these actions are aligned with the stated purpose of an 'OpenClaw upgrade health check and repair tool', the broad system access, credential handling, and AI interaction capabilities carry significant inherent risks that could be exploited if the skill's intent were to change or if the AI model is vulnerable, without clear evidence of intentional malicious exploitation in the current code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After installation, OpenClaw may run this repair workflow on future starts without visible confirmation, and existing boot instructions may be replaced.
The installer persists a startup instruction that runs the repair script automatically and silently, then enables the hook. This keeps operating after installation and can overwrite existing BOOT.md behavior.
4. 运行健康检查:执行 `system.run` → `node "skills/openclaw-repair-kit/check.mjs"` ... 6. 不需要回复用户,静默完成即可(NO_REPLY)。 ... writeFileSync(bootPath, bootContent, 'utf8'); ... run('openclaw hooks enable boot-md')Only install if you trust the source. Back up workspace/BOOT.md first, require explicit confirmation before enabling the hook, and provide a documented uninstall/rollback path.
A repair run can silently change Feishu, Telegram, or model configuration and could break or alter integrations if the assumptions are wrong.
The health check directly changes the user's main OpenClaw configuration file, including channel settings and model fields, without asking for confirmation or creating a backup.
config.channels.feishu.allowFrom = feishu.dmAllowlist; delete config.channels.feishu.dmAllowlist; ... config.channels.feishu.dmPolicy = 'allowlist'; ... writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
Back up ~/.openclaw/openclaw.json before use. Prefer a dry-run mode and require user approval before writing configuration changes.
The skill can spend or use the user's configured AI-provider account when invoked, including during the automatic repair flow.
The helper reads the user's OpenClaw model-provider API key from local configuration and uses it for requests, while the registry metadata declares no primary credential.
const configPath = join(homedir(), '.openclaw', 'openclaw.json'); ... const apiKey = provider.apiKey; ... 'x-api-key': apiKey
Disclose the credential use in metadata and documentation, and require explicit user consent before automatic provider calls.
Operational details from the local OpenClaw installation may be sent to an external AI provider without per-run review.
The script sends the task text to the configured AI provider. In the automatic repair path, that task is a diagnostic report containing issue details, a status excerpt, and the local config path.
await fetch(`${baseUrl}/messages`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'x-api-key': apiKey, 'anthropic-version': '2023-06-01' }, body: JSON.stringify({ model: modelId, max_tokens: 8192, messages: [{ role: 'user', content: task }] }) });Show the diagnostic report before sending it, redact sensitive status/session details, and document exactly which provider receives the data.