← 返回 Skills 市场
104
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaopi-auto-updater
功能描述
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of w...
安全使用建议
What to check before installing:
- Verify publisher & metadata: the skill bundle lacks a homepage/source and the included _meta.json ownerId/slug differs from the registry metadata — confirm you trust the account that published this skill.
- Review the script before enabling: the helper script (~/.clawdbot/scripts/auto-update.sh) is created and will run package manager and clawdhub commands. Open and read it to ensure it does nothing unexpected.
- Run a dry-run first: use `clawdhub update --all --dry-run` and test the commands manually before enabling cron to see what would change.
- Limit privilege & scope: run the cron under an isolated user/session (the skill already suggests --session isolated) and avoid running global package managers as root unless you understand the implications.
- Backup & logging: ensure backups exist and retain the update log (~/.clawdbot/logs/auto-update.log) so you can inspect changes and recover if an update introduces issues.
- Consider restricting updates to trusted skills: automatic updates can introduce new code; if you rely on sensitive skills, prefer manual review or whitelist-only updates.
Why I flagged this as suspicious rather than benign: the runtime behavior is coherent with the described purpose, but missing source/homepage and inconsistent metadata raise provenance concerns — those should be resolved before you allow automatic updates to run.
功能分析
Type: OpenClaw Skill
Name: xiaopi-auto-updater
Version: 1.0.0
The 'xiaopi-auto-updater' skill is a legitimate utility designed to automate updates for the Clawdbot platform and its installed skills. It uses standard package managers (npm, pnpm, bun) and internal CLI tools (clawdbot, clawdhub) to perform updates and schedules them using the system's built-in cron functionality. The implementation in SKILL.md and references/agent-guide.md is transparent, follows the stated purpose, and includes no evidence of data exfiltration, unauthorized access, or malicious prompt injection.
能力评估
Purpose & Capability
The declared purpose (daily auto-update of Clawdbot and installed skills) matches the runtime instructions: add a cron job, run clawdbot update/doctor, and run clawdhub update --all. Required permissions (writing under ~/.clawdbot, running package managers, possibly elevated privileges for global npm/pnpm installs) are consistent with the task. However the registry metadata (_meta.json ownerId/slug) does not match the registry metadata provided, and the package has no homepage or source URL — this discrepancy is unexpected and worth verifying with the publisher.
Instruction Scope
SKILL.md and references instruct the agent to examine installation type (checking ~/.clawdbot, /opt), create a script at ~/.clawdbot/scripts/auto-update.sh, log to ~/.clawdbot/logs/, and run global package manager commands and clawdhub. All of these actions are within scope for an updater. The instructions do not reference unrelated system paths, external upload endpoints, or extra environment variables. Still, the script will execute arbitrary package updates (npm/pnpm/bun) which can change code and behavior — so reviewing the exact commands and the registries they pull from is important.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to install from remote URLs, which minimizes supply-chain risk from the skill bundle itself. The updater relies on existing system tools (clawdbot, clawdhub, npm/pnpm/bun) rather than downloading code from arbitrary URLs.
Credentials
The skill declares no required environment variables, credentials, or config paths. The runtime instructions use $HOME and check local paths (e.g., ~/.clawdbot) which is proportional to an updater. There is no request for unrelated secrets or external tokens.
Persistence & Privilege
The skill recommends adding a cron job (persistence appropriate for periodic updates). It does not set always:true and does not demand permanent elevated privileges in its manifest. However, the cron job will run commands capable of performing system-wide updates (including global npm updates), so consider the privilege context (which user runs the cron) and whether updates should be limited or reviewed.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaopi-auto-updater - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaopi-auto-updater触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the auto-updater skill:
- Sets up a daily cron job to automatically update Clawdbot and all installed skills.
- Notifies the user with a summary of updates applied or if all components are current.
- Supports configuration of update time, timezone, and message delivery options.
- Provides detailed instructions for setup, manual commands, troubleshooting, and disabling auto-updates.
- Compatible with Darwin and Linux operating systems.
元数据
常见问题
Xiaopi Auto Updater 是什么?
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of w... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 104 次。
如何安装 Xiaopi Auto Updater?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaopi-auto-updater」即可一键安装,无需额外配置。
Xiaopi Auto Updater 是免费的吗?
是的,Xiaopi Auto Updater 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xiaopi Auto Updater 支持哪些平台?
Xiaopi Auto Updater 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。
谁开发了 Xiaopi Auto Updater?
由 Adin(@a-din)开发并维护,当前版本 v1.0.0。
推荐 Skills