ClawHub

OpenClaw Updater (LinZ)

v1.0.0

Automatically check for and install OpenClaw updates. Use when the user wants to update OpenClaw to the latest version, schedule automatic updates, or check...

0· 89·0 current·0 all-time
by@zlin87468-maker
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description claim an updater for OpenClaw and the SKILL.md plus the included script implement that behavior (version check via npm, backup, install, verification, rollback). One minor inconsistency: registry metadata lists no required binaries, but the script expects node, npm, tar (and possibly notify); these should have been declared.
Instruction Scope
The SKILL.md instructs the agent to run the included script and to optionally schedule it via cron; the script's actions (reading/writing under $HOME/.openclaw, creating backups, querying npm, running npm install -g) are in-scope for an updater. The instructions do not read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with an included shell script (no installer). The script uses npm to fetch packages from the npm registry, which is expected for a Node-based updater. No arbitrary external download URLs or archive extraction from unknown hosts are used.
Credentials
The skill requests no secrets or credentials. It uses only standard environment values (HOME) and an optional OPENCLAW_UPDATE_LOG override; that is proportionate to its purpose.
Persistence & Privilege
always is false and the skill does not request permanent elevated privileges. It suggests adding a cron job (user-controlled) and does not modify other skills or global agent settings.
Assessment
This updater appears to do what it claims, but check these points before installing or scheduling it: 1) The script runs npm install -g which modifies global packages and may require sudo — be comfortable granting that or run tests in a sandbox. 2) Verify the npm package names (@openclaw/core or openclaw) on the npm registry and confirm the package publisher is trusted. 3) Ensure you have Node.js >=22.16.0 and that npm/node/tar are available (the metadata did not list these required binaries). 4) Use --dry-run first and inspect the created backups in ~/.openclaw/backups before relying on automated cron runs. 5) Because the skill source/homepage is unknown, consider reviewing the script locally (it is included) and, if you automate it, restrict cron to run under an account with appropriate permissions and monitor ~/.openclaw/logs/auto-update.log.

Like a lobster shell, security has layers — review code before you run it.

latestvk975fb39kzs6dqcayh4jbqeat983646c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments