Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
Security Analysis
high confidenceThe skill's instructions are consistent with its stated purpose (setting up a daily cron job to update Clawdbot and installed skills); it does not request extra credentials or install arbitrary code itself, but auto-applying updates carries operational risk (trust in the registry and permissions).
The name/description match the instructions: SKILL.md explains creating a cron job that runs clawdbot and clawdhub update commands. The actions (npm/pnpm/bun update, clawdbot update, clawdhub update --all) are proportional to 'auto-update' functionality. Note: the skill assumes clawdbot/clawdhub and package managers exist on the system even though required binaries are not explicitly declared in metadata.
Instructions are narrowly focused on updating Clawdbot and skills, creating a helper script under ~/.clawdbot/, logging to ~/.clawdbot/logs/, and adding a cron job. They do not instruct reading unrelated files or exfiltrating data. However, the runtime commands will perform network operations and modify installed software; the guide also suggests using sudo/permission fixes when necessary — so the agent will be able to perform privileged actions if the environment allows them.
This is an instruction-only skill with no install spec and no code files — minimal installer risk. It writes a helper script and cron job at runtime (user home), which is expected for this functionality.
No environment variables or credentials are requested, which is appropriate. Important security consideration: the skill automatically trusts whatever the registry/ClawdHub provides when running 'clawdhub update --all' and will apply updates without interactive review unless the user configures otherwise. Automatic updates increase the attack surface if the registry, ClawdHub, or package update channels are compromised.
The skill does not force permanent inclusion (always:false) and is user-invocable, but it does create a cron job and helper script that persist and run daily under the user's account. That persistence is expected for an auto-updater but does increase blast radius relative to a one-off manual command — ensure the cron job runs with least privilege and not as root.
Guidance
This skill is internally coherent and does what it says: it will create a script and add a daily cron job that runs 'clawdbot' and 'clawdhub' update commands and then message you a summary. Before installing, consider: 1) Auto-updates implicitly trust the registry and update channels — if the registry or an updated package is malicious you could auto-install it; consider using dry-run ('clawdhub update --all --dry-run') or limiting updates to specific skills. 2) Global package updates (npm/pnpm/bun) may require elevated permissions; avoid running the cron job as root. 3) The script/logs are placed in ~/.clawdbot/ — review and backup before enabling. 4) Confirm clawdbot and clawdhub are present and working locally. 5) If you want tighter control, run updates manually or weekly, or configure the cron job to notify you for manual approval. If you want me to propose a safer variant (e.g., dry-run + email/notification for approvals, or limited-scope updates), I can produce the modified SKILL.md and cron commands.
Latest Release
v1.0.0
Automatically checks for and applies updates to Clawdbot and all installed skills once daily via cron. Sends the user a message summarizing what was updated and any issues encountered.
Popular Skills
Published by @maximeprades on ClawHub
