sys-updater

System package maintenance for Ubuntu (apt), npm, brew, and OpenClaw skills. Conservative workflow with 2-day quarantine for non-security updates, automatic...

What to check before installing or running this skill: 1) Read the code. The repo includes scripts that will run sudo commands, parse apt logs, and perform network requests to GitHub/npm/Homebrew. If you can't review them yourself, run them in an isolated test VM first. 2) Sudoers mismatch: the docs intentionally restrict passwordless sudo to apt-get update, apt-get -s upgrade (simulation) and unattended-upgrade. But the code calls 'sudo apt-get install' to apply planned non-security updates. Decide which behavior you want: either (A) keep sudoers restrictive and remove/disable planned installs in the code, or (B) explicitly add apt-get install to sudoers after understanding the consequences. Never add broad sudo rights — add only the exact commands (absolute paths) you audited. 3) Paths and binaries: verify correct absolute paths in sudoers. The docs/examples reference both /usr/bin/unattended-upgrade and /usr/sbin/unattended-upgrade in different places — confirm the actual path on your distribution. 4) Telegram/OpenClaw behavior: the skill renders reports but does not appear to ship or require a Telegram bot token; cron/OpenClaw is expected to forward the report. If you expect the skill to push messages itself, look for code that stores or uses bot tokens (none declared). Similarly, auto-updating OpenClaw skills implies using clawhub — ensure you understand what clawhub does and that the binary/credentials are available and limited. 5) Network calls and rate limits: auto_review.py will query public APIs (GitHub/npm/brew). It uses unauthenticated GitHub requests (60/hr). If you need higher rate or authenticated checks, consider adding a token and auditing how it is stored. 6) Permissions to read system files: parsing /var/log/apt/history.log may require root privileges on some systems; the code handles PermissionError but will produce incomplete data if it cannot read logs. 7) Test in dry-run: use the provided --dry-run and --verbose modes. Run on a non-production host and inspect generated state/logs before enabling cron/systemd or changing sudoers. 8) Reconciliation: if you accept planned installs, add tests and an audit path to ensure planned installs cannot be abused to install arbitrary packages. Prefer whitelisting package names or requiring manual confirmation for potentially dangerous packages. If you provide updated metadata (declare required binaries and env vars) and either remove/disable the sudo apt-get install usage or explicitly include it in the documented sudoers with audited absolute paths, my confidence that this skill is coherent and low-risk would increase.

Type: OpenClaw Skill Name: sys-updater Version: 1.1.0 The skill's stated purpose is system maintenance, including security updates and package management. However, the `scripts/apt_maint.py` file attempts to execute `sudo apt-get install -y` and `sudo apt-get autoremove -y` commands. These actions directly contradict the explicit security recommendations in `SKILL.md` and `docs/sudoers.md`, which state that `apt-get install` and `apt-get autoremove` permissions should *not* be granted. This discrepancy creates a significant vulnerability: if the user's sudoers configuration is less restrictive than recommended (e.g., `NOPASSWD: ALL`), these commands could be exploited for Remote Code Execution (RCE), allowing arbitrary package installation or removal. While the script's intent appears to be maintenance, this critical inconsistency between code and documented security policy makes the skill suspicious due to the high-risk capability.