Ollama Updater

Ollama Updater installs or updates Ollama with curl-based breakpoint resume, auto-retry, progress display, old version cleanup, and GPU driver detection.

This package appears to be an Ollama installer and its shell script behavior (resumable curl, extraction, systemd, user/group changes) is coherent with that purpose — but there are multiple red flags you should resolve before installing: 1) The manifest/docs reference files (main.py, CLI wrapper) that are not present; SKILL.md even shows 'bash .../main.py' which is wrong. This indicates sloppy packaging and increases risk of user/agent confusion. 2) The installer runs as root and will create users, write to /usr/local and /etc/systemd — review the script content (ollama-install.sh) line-by-line to confirm it only downloads from trusted hosts (ollama.com, GitHub) and makes expected changes. 3) Prefer to verify download integrity (checksums or signatures) for the Ollama binaries it fetches; consider running the script in a container or VM first if you’re unsure. 4) If you intend to let an agent invoke this skill autonomously, restrict that until you confirm the missing files and documentation inconsistencies are resolved. If you want, provide the missing files (main.py, wrapper) or a trustworthy upstream repository URL and I can re-evaluate with higher confidence.

Type: OpenClaw Skill Name: ollama-updater Version: 1.0.1 The skill's primary purpose is to install/update Ollama with resumable downloads, which is a legitimate function. However, the `ollama-install.sh` script is vulnerable to shell injection. The `OLLAMA_VERSION` environment variable, intended for specifying Ollama versions, is directly interpolated into a `curl` command's URL without proper sanitization. This allows for potential Remote Code Execution (RCE) if an attacker can control the `OLLAMA_VERSION` input, making the skill suspicious due to this critical vulnerability.