← Back to Skills Marketplace
Update Approval Guard
by
HIIC-Wayne
· GitHub ↗
· v1.0.0
· MIT-0
263
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install update-approval-guard
Description
Use this skill when the user wants scheduled update checks for OpenClaw and installed skills, but does not want automatic mutation. The skill performs dry-ru...
Usage Guidance
This skill's behavior (check-only then apply after explicit approval) is reasonable, but the provided bundle contains many unrelated scripts, other skills, and hard-coded tokens. Before installing: 1) Inspect publish.sh and do not run it unless you trust it — it may git-init and push code. 2) Search the package for hard-coded secrets (app tokens, API keys) and remove/rotate any you find. 3) Verify cron job creation is performed in an isolated session and that the scheduled job cannot leak workspace files or push to external repos. 4) Review AGENTS.md/SOUL.md behavior: they instruct agents to read memory and user files — ensure that scheduled checks won’t expose sensitive memory to external channels. 5) If you only want the update-check logic, extract and install just the SKILL.md and example cron payload (avoid running publish scripts and unrelated code). If you’re unsure, test in a sandbox workspace (no real credentials) or decline installation until the package is cleaned.
Capability Analysis
Type: OpenClaw Skill
Name: update-approval-guard
Version: 1.0.0
The bundle contains numerous hardcoded sensitive credentials, including Feishu App Secrets (e.g., in `skills/feishu-calendar-v2/scripts/calendar.sh`), Tavily API keys (`scripts/daily_report.py`), and Bearer tokens in configuration files (`config/mcporter.json`). It also includes scripts with high-risk capabilities, such as `skills/veadk-skills/scripts/save_file.py` which allows arbitrary file writes, and `skills/hiic-industry-daily-report/scripts/schedule-push.sh` which modifies the system crontab. While these represent significant security vulnerabilities and poor credential management, they appear to be part of a complex, functional workspace rather than intentionally malicious code designed for data exfiltration or unauthorized remote control.
Capability Assessment
Purpose & Capability
The SKILL.md describes a narrow updater that only needs the local openclaw/clawhub commands and workspace storage. However the published package contains dozens of other skill directories, scripts, config files, and baked-in tokens (e.g., feishu app_token, mcporter Bearer tokens, instreet api_key). Those extras are unrelated to a simple update-checker and increase the attack surface and data exposure risk.
Instruction Scope
The SKILL.md itself is tightly scoped (dry-run checks, create pending-update.json, apply only on explicit approval). But other included files (AGENTS.md, SOUL.md, memory files) instruct agents to read workspace memory and user files on startup. The package-level instructions encourage reading many files (MEMORY.md, USER.md, etc.), which is scope creep relative to an update-approval helper and could leak sensitive context during scheduled tasks.
Install Mechanism
There is no formal install spec (instruction-only), which normally limits risk — but the bundle contains a publish.sh and an UPDATE-APPROVAL-GUARD-PUBLISH.md that describe an automated publish workflow (git init, push to GitHub, publish to ClawHub). That behavior could exfiltrate workspace code or metadata if the script is run. Also many auxiliary scripts and backups are bundled unnecessarily with the single-skill description.
Credentials
The skill declares no required env vars or credentials, but the repository includes multiple files with hard-coded tokens and API keys (e.g., config/industry_news_config.json app_token, config/mcporter.json Bearer tokens, instreet api_key). These credentials are unrelated to the update-check workflow and indicate either accidental leakage or an incoherent package composition.
Persistence & Privilege
always is false (good). Model invocation is enabled (default). There is no declared behavior that forces permanent installation, but embedded files/instructions (publish script, cron example) could be used to create persistent cron jobs or publish code if an operator runs them. Autonomous cron-triggered agent turns could read workspace files; combined with the other issues this increases blast radius.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install update-approval-guard - After installation, invoke the skill by name or use
/update-approval-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Daily update checker with approval workflow for OpenClaw
Metadata
Frequently Asked Questions
What is Update Approval Guard?
Use this skill when the user wants scheduled update checks for OpenClaw and installed skills, but does not want automatic mutation. The skill performs dry-ru... It is an AI Agent Skill for Claude Code / OpenClaw, with 263 downloads so far.
How do I install Update Approval Guard?
Run "/install update-approval-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Update Approval Guard free?
Yes, Update Approval Guard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Update Approval Guard support?
Update Approval Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Update Approval Guard?
It is built and maintained by HIIC-Wayne (@waytobetter619); the current version is v1.0.0.
More Skills