Openclaw Plugin Upgrade

The skill's name/description match the included script's behavior (detecting OpenClaw CLI, backing up plugin dirs, installing/updating packages, validating files, and restarting gateway). One mismatch: package metadata declares no required binaries, but the script requires 'node' and an OpenClaw CLI binary (openclaw|clawdbot|moltbot) to function — these are necessary for the stated purpose and should be declared.

SKILL.md and the script limit actions to plugin-related tasks: locating extensions/config, creating a temporary config copy to bypass 3.23+ validation, running plugins update/install, validating package.json and specified files, optionally running a plugin postinstall script, and restarting the gateway. The script reads and writes OpenClaw config and plugin directories (appropriate for an upgrader) and does not send data to external endpoints beyond normal npm/CLI network operations.

This is an instruction-only skill with a bundled shell script; there is no install spec that downloads external code. The provided script will be executed by the agent. No remote arbitrary-code download URLs were observed.

The skill requests no environment variables or credentials in metadata (none required), and the script only uses standard filesystem locations (HOME, CLI data directory) and sets a temporary OPENCLAW_CONFIG_PATH at runtime. This is proportionate, but the script implicitly requires 'node' and the OpenClaw CLI on PATH — the metadata should list these as required binaries. The script also performs deletions (rm -rf) for legacy dirs and moves backups, which is expected but destructive if pointed at the wrong path.

The skill is user-invocable and not marked 'always'. It does not attempt to persist itself, modify other skills, or change global agent configuration beyond using a temporary OPENCLAW_CONFIG_PATH during execution. Autonomous invocation is allowed by platform default, but that is not unique to this skill.