← Back to Skills Marketplace
jimmieting

Openclaw Autoupdate

by JimmieTing · GitHub ↗ · v1.0.6
cross-platform ⚠ suspicious
613
Downloads
0
Stars
3
Active Installs
7
Versions
Install in OpenClaw
/install openclaw-autoupdate
Description
OpenClaw静默更新技能。安全自动化更新OpenClaw到最新版本。
Usage Guidance
This skill does perform exactly what an updater would: fetch a release from GitHub, install a DMG into /Applications, run a global npm install, and restart the OpenClaw gateway. That said, the package has quality issues and missing safeguards. Before installing or running it: 1) Inspect the script yourself and confirm the included SHA256 matches the shipped file. 2) Be aware the script will attempt to modify /Applications and run npm -g (may require sudo); do not run it as root without review. 3) Prefer updaters that verify release checksums or signatures — this script does not verify the downloaded DMG or npm package. 4) Confirm the GitHub release URL and the maintainer identity are legitimate; the SKILL.md/package.json/registry version mismatch is suspicious. 5) If you want lower risk, run the script manually rather than granting an agent autonomous invocation, or add integrity checks (curl the release checksum and validate) before permitting automated runs.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-autoupdate Version: 1.0.6 The skill bundle is designed for updating the OpenClaw application and its CLI. The `scripts/silent-update.sh` script fetches version information and official releases from `api.github.com` and `github.com`, then uses standard system commands (`rm`, `cp`, `hdiutil`, `npm install -g`) to perform the update. All actions are consistent with the stated purpose of securely automating updates. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` to subvert the agent for harmful purposes. The script's actions, while requiring elevated privileges for installation, are legitimate for an update process and do not indicate malicious intent.
Capability Assessment
Purpose & Capability
Name/description align with the actual script: it checks versions, downloads a DMG from GitHub, installs the app to /Applications, runs npm -g to update the CLI, and restarts the gateway. However the registry metadata declares no required binaries while the script clearly requires openclaw, curl, plutil, hdiutil, npm and filesystem access to /Applications—these are not declared. The mismatch suggests sloppy publishing and should have been declared.
Instruction Scope
SKILL.md instructs running the included script and claims only a few 'safe' commands are used, but the script performs network fetches, mounts and copies a DMG into /Applications, removes files, performs a global npm install, and restarts a system service. Those actions are consistent with an updater but go beyond simple local reads/writes and require elevated privileges; SKILL.md does not warn about required sudo/admin rights. Also SKILL.md/package.json/skill registry versions are inconsistent (SKILL.md says v1.0.2, package.json 1.0.3, registry 1.0.6), which is a red flag for maintenance quality.
Install Mechanism
No installer (instruction-only) — low installer risk. But at runtime the script downloads a DMG from GitHub and runs npm install -g without any integrity or signature verification of the downloaded artifacts. Fetching executable installers at runtime without checksum/signature verification raises supply-chain risk.
Credentials
The skill declares no env/credentials, which is appropriate, but it implicitly requires system-level privileges (writing to /Applications, global npm installs, restarting services). Those privileges are disproportionate to what the SKILL.md explicitly documents (it even downplays the scope). No environment variables are requested, but privileged filesystem and global package changes are required and not called out.
Persistence & Privilege
always:false (normal) and model invocation is allowed (normal). The script writes logs under ~/.openclaw/logs (expected) and does not attempt to modify other skills or agent config. The main concern is that an autonomously invoked updater with the ability to download and install binaries could modify system software if run without user oversight.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-autoupdate
  3. After installation, invoke the skill by name or use /openclaw-autoupdate
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
新增完整更新:同时更新CLI + Menu Bar App
v1.0.5
修复pnpm优先问题,改为优先使用npm
v1.0.4
重新上传修复VirusTotal Pending问题
v1.0.3
openclaw-autoupdate v1.0.3 - Added package.json for improved dependency and metadata management. - Updated documentation with detailed security explanation, source code hash verification, and execution log location. - Clarified the list of permitted commands and addressed potential false-positive virus scan warnings.
v1.0.2
- Updated documentation to clarify that no additional configuration is required and the script uses the existing openclaw CLI. - Removed previous reference to an external config file.
v1.0.1
openclaw-autoupdate 1.0.1 - 精简并优化了文档内容,删去冗余说明,突出主要功能与安全特性 - 使用配置文件路径更新为 `~/.hn-daily-digest/config.json` - 明确脚本用途与核心更新流程步骤 - 增加安全说明,强调仅使用受信任的命令和操作
v1.0.0
Initial release — automated and silent updating for OpenClaw. - Provides step-by-step guidance for manual and automated OpenClaw updates, including version rollback. - Supports multiple update sources and installation methods (npm, pnpm, official installer, Homebrew). - Includes automatic update configuration, silent update scripts, and cron job examples. - Covers service management (restart, status, log viewing) and channel switching (stable, beta, dev). - Offers troubleshooting steps and backup recommendations.
Metadata
Slug openclaw-autoupdate
Version 1.0.6
License
All-time Installs 3
Active Installs 3
Total Versions 7
Frequently Asked Questions

What is Openclaw Autoupdate?

OpenClaw静默更新技能。安全自动化更新OpenClaw到最新版本。 It is an AI Agent Skill for Claude Code / OpenClaw, with 613 downloads so far.

How do I install Openclaw Autoupdate?

Run "/install openclaw-autoupdate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Openclaw Autoupdate free?

Yes, Openclaw Autoupdate is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Openclaw Autoupdate support?

Openclaw Autoupdate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Openclaw Autoupdate?

It is built and maintained by JimmieTing (@jimmieting); the current version is v1.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments