← Back to Skills Marketplace
675
Downloads
0
Stars
3
Active Installs
7
Versions
Install in OpenClaw
/install openclaw-updater
Description
Safely update OpenClaw with pre-flight checks and rollback support. Use when updating OpenClaw, checking for updates, or recovering from a failed update. Han...
Usage Guidance
This updater generally does what it says, but the package metadata understates what it needs. Before installing/running: (1) manually review the included scripts; (2) ensure the host has openclaw, git, node, npm and curl installed; (3) create and protect the ~/.openclaw/.telegram-notify.env file (chmod 600) if you want notifications; (4) be aware pre-update will auto-initialize/git-commit workspaces and backup config to /tmp (consider securing the backup location); (5) expect the updater to run npm install -g and restart the gateway — run in a controlled environment or test with --dry-run/--test-notify first. If you want stronger guarantees, ask the author to update the registry metadata to declare required binaries and env vars and to avoid using /tmp for sensitive backups.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-updater
Version: 1.6.0
The skill bundle contains a significant arbitrary command execution vulnerability in `scripts/pre-update.sh`. This script executes the `BACKUP_SCRIPT` environment variable if it's set and executable, allowing an attacker (or a prompt-injected agent) to run arbitrary commands, as highlighted in `SKILL.md` where `BACKUP_SCRIPT` is presented as an optional parameter. Additionally, `scripts/update.sh` performs external network calls to `api.telegram.org` for notifications, using sensitive tokens stored locally, which is explicitly documented and part of the skill's purpose.
Capability Assessment
Purpose & Capability
The scripts perform the expected update/rollback tasks (git commits of workspaces, config backup, npm-based rollback, gateway restart, Telegram notifications). However the registry metadata claims no required binaries or env vars while the scripts clearly rely on multiple system tools (openclaw CLI, npm, git, node, curl) and optional TELEGRAM_* credentials. This mismatch is an incoherence between what the skill claims and what it needs to run.
Instruction Scope
SKILL.md and the included scripts operate on user data: they read ~/.openclaw/openclaw.json, discover and git-commit workspace directories (initializing repos if missing), copy config to /tmp, run an optional backup script specified by the user, perform npm installs, and restart the gateway. All of this is within the updater's stated scope, but some actions modify user files (git commits, npm -g installs) and execute a user-specified BACKUP_SCRIPT — review those carefully before running.
Install Mechanism
No external install/download steps are declared; the skill is instruction-only and ships its scripts in the bundle. There are no remote archives or URL downloads in the install process.
Credentials
The registry metadata lists no required environment variables, but the scripts require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID (via an env file) for notifications. The scripts also depend on CLI tools (openclaw, npm, git, node, curl) that are not declared. The script writes backups to /tmp (world-writable by default), which is convenient but less secure and could be tampered with on multi-user systems.
Persistence & Privilege
The skill is not force-included (always:false) and doesn't request persistent platform privileges. Still, running these scripts will perform privileged or persistent actions on the host: global npm installs (npm install -g) change system-wide packages and restarting the gateway changes running services. Those are expected for an updater but are significant side effects — confirm you want them before running.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-updater - After installation, invoke the skill by name or use
/openclaw-updater - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.6.0
Fix false failure reports: verify update by version comparison instead of exit code; wait up to 120s for binary availability during npm install
v1.5.0
rollback.sh: add --help, confirmation prompt before rollback, reject unknown args
v1.4.0
Add --help, --test-notify, --dry-run flags; reject unknown arguments
v1.3.0
Read workspace paths from openclaw.json config instead of guessing; supports custom workspace locations (e.g. legacy ~/clawd/)
v1.2.0
Auto-detect legacy ~/clawd/ directory for backward compatibility
v1.1.0
Add Telegram notification setup docs
v1.0.0
Initial release: safe update with pre-flight checks, rollback support, and Telegram notifications
Metadata
Frequently Asked Questions
What is OpenClaw Updater?
Safely update OpenClaw with pre-flight checks and rollback support. Use when updating OpenClaw, checking for updates, or recovering from a failed update. Han... It is an AI Agent Skill for Claude Code / OpenClaw, with 675 downloads so far.
How do I install OpenClaw Updater?
Run "/install openclaw-updater" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Updater free?
Yes, OpenClaw Updater is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Updater support?
OpenClaw Updater is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Updater?
It is built and maintained by San Chen (@bigsan); the current version is v1.6.0.
More Skills