← 返回 Skills 市场
675
总下载
0
收藏
3
当前安装
7
版本数
在 OpenClaw 中安装
/install openclaw-updater
功能描述
Safely update OpenClaw with pre-flight checks and rollback support. Use when updating OpenClaw, checking for updates, or recovering from a failed update. Han...
安全使用建议
This updater generally does what it says, but the package metadata understates what it needs. Before installing/running: (1) manually review the included scripts; (2) ensure the host has openclaw, git, node, npm and curl installed; (3) create and protect the ~/.openclaw/.telegram-notify.env file (chmod 600) if you want notifications; (4) be aware pre-update will auto-initialize/git-commit workspaces and backup config to /tmp (consider securing the backup location); (5) expect the updater to run npm install -g and restart the gateway — run in a controlled environment or test with --dry-run/--test-notify first. If you want stronger guarantees, ask the author to update the registry metadata to declare required binaries and env vars and to avoid using /tmp for sensitive backups.
功能分析
Type: OpenClaw Skill
Name: openclaw-updater
Version: 1.6.0
The skill bundle contains a significant arbitrary command execution vulnerability in `scripts/pre-update.sh`. This script executes the `BACKUP_SCRIPT` environment variable if it's set and executable, allowing an attacker (or a prompt-injected agent) to run arbitrary commands, as highlighted in `SKILL.md` where `BACKUP_SCRIPT` is presented as an optional parameter. Additionally, `scripts/update.sh` performs external network calls to `api.telegram.org` for notifications, using sensitive tokens stored locally, which is explicitly documented and part of the skill's purpose.
能力评估
Purpose & Capability
The scripts perform the expected update/rollback tasks (git commits of workspaces, config backup, npm-based rollback, gateway restart, Telegram notifications). However the registry metadata claims no required binaries or env vars while the scripts clearly rely on multiple system tools (openclaw CLI, npm, git, node, curl) and optional TELEGRAM_* credentials. This mismatch is an incoherence between what the skill claims and what it needs to run.
Instruction Scope
SKILL.md and the included scripts operate on user data: they read ~/.openclaw/openclaw.json, discover and git-commit workspace directories (initializing repos if missing), copy config to /tmp, run an optional backup script specified by the user, perform npm installs, and restart the gateway. All of this is within the updater's stated scope, but some actions modify user files (git commits, npm -g installs) and execute a user-specified BACKUP_SCRIPT — review those carefully before running.
Install Mechanism
No external install/download steps are declared; the skill is instruction-only and ships its scripts in the bundle. There are no remote archives or URL downloads in the install process.
Credentials
The registry metadata lists no required environment variables, but the scripts require TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID (via an env file) for notifications. The scripts also depend on CLI tools (openclaw, npm, git, node, curl) that are not declared. The script writes backups to /tmp (world-writable by default), which is convenient but less secure and could be tampered with on multi-user systems.
Persistence & Privilege
The skill is not force-included (always:false) and doesn't request persistent platform privileges. Still, running these scripts will perform privileged or persistent actions on the host: global npm installs (npm install -g) change system-wide packages and restarting the gateway changes running services. Those are expected for an updater but are significant side effects — confirm you want them before running.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-updater - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-updater触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.6.0
Fix false failure reports: verify update by version comparison instead of exit code; wait up to 120s for binary availability during npm install
v1.5.0
rollback.sh: add --help, confirmation prompt before rollback, reject unknown args
v1.4.0
Add --help, --test-notify, --dry-run flags; reject unknown arguments
v1.3.0
Read workspace paths from openclaw.json config instead of guessing; supports custom workspace locations (e.g. legacy ~/clawd/)
v1.2.0
Auto-detect legacy ~/clawd/ directory for backward compatibility
v1.1.0
Add Telegram notification setup docs
v1.0.0
Initial release: safe update with pre-flight checks, rollback support, and Telegram notifications
元数据
常见问题
OpenClaw Updater 是什么?
Safely update OpenClaw with pre-flight checks and rollback support. Use when updating OpenClaw, checking for updates, or recovering from a failed update. Han... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 675 次。
如何安装 OpenClaw Updater?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-updater」即可一键安装,无需额外配置。
OpenClaw Updater 是免费的吗?
是的,OpenClaw Updater 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Updater 支持哪些平台?
OpenClaw Updater 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Updater?
由 San Chen(@bigsan)开发并维护,当前版本 v1.6.0。
推荐 Skills