← Back to Skills Marketplace
Version Drift Publish
by
rtaylorgraham
· GitHub ↗
· v1.2.1
· MIT-0
274
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install version-drift
Description
One command to check if your entire stack is up to date. SSHes into servers, queries APIs, and compares installed versions against latest — across every serv...
Usage Guidance
This skill is coherent with its stated purpose, but it is powerful: it will run arbitrary shell commands locally and over SSH and will issue HTTP requests to any URL you configure. Before you install or run it: (1) review config.yaml carefully — any command in 'installed' will be executed; (2) keep secrets minimal and put them in environment variables with least-privilege tokens (the script will expand and use any ${VAR} you reference); (3) prefer a non-root SSH user with read-only permissions where possible; (4) be aware it writes a state file (state.json) in the working directory; (5) consider running first in a sandbox or CI runner with limited credentials; (6) if you need stronger SSH host verification, explicitly set strict_host_key in your config instead of using the default accept-new. If you want further checks, provide the full drift.py for deeper code review (the supplied snippet is large but truncated in places).
Capability Analysis
Type: OpenClaw Skill
Name: version-drift
Version: 1.2.1
The bundle provides a version-tracking utility that utilizes high-risk primitives, specifically arbitrary local shell execution via 'sh -c' and remote execution via SSH in drift.py. While these capabilities are aligned with the tool's stated purpose of checking software versions across a stack, the script lacks input sanitization for commands defined in config.yaml, creating a direct path for Remote Code Execution (RCE). No evidence of intentional malice, data exfiltration, or hardcoded backdoors was found, but the broad execution surface on both the local host and remote servers justifies a suspicious classification.
Capability Assessment
Purpose & Capability
The name/description say it will SSH, call HTTP APIs, and run local commands to discover versions; the included config examples and drift.py implement exactly that. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and drift.py permit executing arbitrary shell commands on local and remote hosts, fetching arbitrary HTTP endpoints, and saving state to a local file. That is necessary for the stated goal, but it gives the script high power — any command you place in config.yaml will be executed.
Install Mechanism
There is no install spec and no remote downloads; this is an instruction-only skill with an included Python script. It optionally uses pyyaml if installed but falls back to JSON. No high-risk installers or external archives are pulled.
Credentials
The skill declares no required env vars but reads environment variables at runtime (expand_env, and optional GITHUB_TOKEN for GitHub API rate limits). config.example.yaml shows placeholders like ${HA_TOKEN} and ${API_KEY}. The skill will expand and use any env var referenced in your config, so it can access secrets you place into environment variables even though none are listed in the metadata.
Persistence & Privilege
Not always-included and not auto-installed. The tool writes a local state file (default state.json) to track drift and uses SSH with StrictHostKeyChecking=accept-new by default (trust-on-first-use). Both behaviors are normal for this tool but worth noting for operational security.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install version-drift - After installation, invoke the skill by name or use
/version-drift - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
SSH host key checking now defaults to accept-new (trust-on-first-use) instead of no. Configurable per-host via strict_host_key setting. Addresses VirusTotal MITM warning.
v1.2.0
New --changes flag: see actual release notes between your installed version and latest. Fetches GitHub releases for GitHub, npm, and PyPI sources. Includes drift descriptions showing major/minor/patch breakdown.
v1.1.0
Security hardening: removed shell=True, SSL verification on by default (configurable per-host), replaced raw IPs with .local hostnames in examples, added Security section to SKILL.md
v1.0.0
Initial release: SSH/HTTP/local version checks, GitHub/npm/PyPI/Docker Hub/custom HTTP sources, state tracking, table/JSON/markdown output.
Metadata
Frequently Asked Questions
What is Version Drift Publish?
One command to check if your entire stack is up to date. SSHes into servers, queries APIs, and compares installed versions against latest — across every serv... It is an AI Agent Skill for Claude Code / OpenClaw, with 274 downloads so far.
How do I install Version Drift Publish?
Run "/install version-drift" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Version Drift Publish free?
Yes, Version Drift Publish is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Version Drift Publish support?
Version Drift Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Version Drift Publish?
It is built and maintained by rtaylorgraham (@rtaylorgraham); the current version is v1.2.1.
More Skills