← 返回 Skills 市场
jimmieting

Openclaw Autoupdate

作者 JimmieTing · GitHub ↗ · v1.0.6
cross-platform ⚠ suspicious
613
总下载
0
收藏
3
当前安装
7
版本数
在 OpenClaw 中安装
/install openclaw-autoupdate
功能描述
OpenClaw静默更新技能。安全自动化更新OpenClaw到最新版本。
安全使用建议
This skill does perform exactly what an updater would: fetch a release from GitHub, install a DMG into /Applications, run a global npm install, and restart the OpenClaw gateway. That said, the package has quality issues and missing safeguards. Before installing or running it: 1) Inspect the script yourself and confirm the included SHA256 matches the shipped file. 2) Be aware the script will attempt to modify /Applications and run npm -g (may require sudo); do not run it as root without review. 3) Prefer updaters that verify release checksums or signatures — this script does not verify the downloaded DMG or npm package. 4) Confirm the GitHub release URL and the maintainer identity are legitimate; the SKILL.md/package.json/registry version mismatch is suspicious. 5) If you want lower risk, run the script manually rather than granting an agent autonomous invocation, or add integrity checks (curl the release checksum and validate) before permitting automated runs.
功能分析
Type: OpenClaw Skill Name: openclaw-autoupdate Version: 1.0.6 The skill bundle is designed for updating the OpenClaw application and its CLI. The `scripts/silent-update.sh` script fetches version information and official releases from `api.github.com` and `github.com`, then uses standard system commands (`rm`, `cp`, `hdiutil`, `npm install -g`) to perform the update. All actions are consistent with the stated purpose of securely automating updates. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` to subvert the agent for harmful purposes. The script's actions, while requiring elevated privileges for installation, are legitimate for an update process and do not indicate malicious intent.
能力评估
Purpose & Capability
Name/description align with the actual script: it checks versions, downloads a DMG from GitHub, installs the app to /Applications, runs npm -g to update the CLI, and restarts the gateway. However the registry metadata declares no required binaries while the script clearly requires openclaw, curl, plutil, hdiutil, npm and filesystem access to /Applications—these are not declared. The mismatch suggests sloppy publishing and should have been declared.
Instruction Scope
SKILL.md instructs running the included script and claims only a few 'safe' commands are used, but the script performs network fetches, mounts and copies a DMG into /Applications, removes files, performs a global npm install, and restarts a system service. Those actions are consistent with an updater but go beyond simple local reads/writes and require elevated privileges; SKILL.md does not warn about required sudo/admin rights. Also SKILL.md/package.json/skill registry versions are inconsistent (SKILL.md says v1.0.2, package.json 1.0.3, registry 1.0.6), which is a red flag for maintenance quality.
Install Mechanism
No installer (instruction-only) — low installer risk. But at runtime the script downloads a DMG from GitHub and runs npm install -g without any integrity or signature verification of the downloaded artifacts. Fetching executable installers at runtime without checksum/signature verification raises supply-chain risk.
Credentials
The skill declares no env/credentials, which is appropriate, but it implicitly requires system-level privileges (writing to /Applications, global npm installs, restarting services). Those privileges are disproportionate to what the SKILL.md explicitly documents (it even downplays the scope). No environment variables are requested, but privileged filesystem and global package changes are required and not called out.
Persistence & Privilege
always:false (normal) and model invocation is allowed (normal). The script writes logs under ~/.openclaw/logs (expected) and does not attempt to modify other skills or agent config. The main concern is that an autonomously invoked updater with the ability to download and install binaries could modify system software if run without user oversight.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-autoupdate
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-autoupdate 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.6
新增完整更新:同时更新CLI + Menu Bar App
v1.0.5
修复pnpm优先问题,改为优先使用npm
v1.0.4
重新上传修复VirusTotal Pending问题
v1.0.3
openclaw-autoupdate v1.0.3 - Added package.json for improved dependency and metadata management. - Updated documentation with detailed security explanation, source code hash verification, and execution log location. - Clarified the list of permitted commands and addressed potential false-positive virus scan warnings.
v1.0.2
- Updated documentation to clarify that no additional configuration is required and the script uses the existing openclaw CLI. - Removed previous reference to an external config file.
v1.0.1
openclaw-autoupdate 1.0.1 - 精简并优化了文档内容,删去冗余说明,突出主要功能与安全特性 - 使用配置文件路径更新为 `~/.hn-daily-digest/config.json` - 明确脚本用途与核心更新流程步骤 - 增加安全说明,强调仅使用受信任的命令和操作
v1.0.0
Initial release — automated and silent updating for OpenClaw. - Provides step-by-step guidance for manual and automated OpenClaw updates, including version rollback. - Supports multiple update sources and installation methods (npm, pnpm, official installer, Homebrew). - Includes automatic update configuration, silent update scripts, and cron job examples. - Covers service management (restart, status, log viewing) and channel switching (stable, beta, dev). - Offers troubleshooting steps and backup recommendations.
元数据
Slug openclaw-autoupdate
版本 1.0.6
许可证
累计安装 3
当前安装数 3
历史版本数 7
常见问题

Openclaw Autoupdate 是什么?

OpenClaw静默更新技能。安全自动化更新OpenClaw到最新版本。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 613 次。

如何安装 Openclaw Autoupdate?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-autoupdate」即可一键安装,无需额外配置。

Openclaw Autoupdate 是免费的吗?

是的,Openclaw Autoupdate 完全免费(开源免费),可自由下载、安装和使用。

Openclaw Autoupdate 支持哪些平台?

Openclaw Autoupdate 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Openclaw Autoupdate?

由 JimmieTing(@jimmieting)开发并维护,当前版本 v1.0.6。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论