sys-updater

The project is plausibly a system updater for apt/npm/brew and OpenClaw skills — that capability explains most included code (apt_maint.py, pkg_maint.py, auto_review.py) and the documentation. However registry metadata (no required binaries / no required env vars) does not match SKILL.md which declares required binaries (apt-get, npm, brew, clawhub) and environment variables (SYS_UPDATER_BASE_DIR, SYS_UPDATER_STATE_DIR, SYS_UPDATER_LOG_DIR). The claimed behavior (auto-review, skill updates via ClawHub, Telegram reports) is consistent with the code, but the metadata omission is an incoherence that makes automated permission checks unreliable.

Runtime instructions and code perform system-level actions: run sudo apt-get update, run unattended-upgrade (applies security updates), simulate upgrades, parse /var/log/apt/history.log, and call external services (npm registry, Homebrew API, GitHub API). The SKILL.md also instructs creating a sudoers file to allow passwordless sudo for apt/unattended-upgrade. The skill also documents auto-updating OpenClaw skills (clawhub) and generating Telegram reports; however, no Telegram token or sending code is declared (the repo expects the caller to forward/report). The scope (reading system logs, running sudoed commands, and making network requests) is consistent with an updater but is sensitive — especially because the instructions include granting passwordless sudo for system update commands.

There is no external install step (instruction-only + bundled Python scripts). The code uses only Python stdlib and subprocess calls; nothing is downloaded from arbitrary URLs. That lowers install risk compared to downloadable binaries. The repo includes code files (not pure prose), so a code review is appropriate before use.

The skill requires elevated capability (passwordless sudo entries) which is proportionate for a tool that applies security updates, but there are notable mismatches: 1) The documented sudoers entries intentionally exclude apt-get install (and docs repeatedly say "No package installation/removal through sudo"), yet the code's apply_planned_apt_upgrades calls 'sudo apt-get install -y <packages>' — this will fail unless sudoers is expanded (or the code is changed), creating a dangerous gap between intended permissions and actual behavior. 2) SKILL.md mentions Telegram reporting and OpenClaw/clawhub usage, but no credential/environment variables (e.g., Telegram bot token or clawhub config) are declared in registry metadata. 3) The registry metadata lists no required env vars while the docs and code expect SYS_UPDATER_* env vars — an inconsistency that affects deploy/automation and least-privilege questions.

The skill does not set always:true, but it asks the operator to create a sudoers file granting passwordless execution of system update commands for a user. Modifying /etc/sudoers.d is a permanent, high-impact change and should be done deliberately. Combined with the code calling 'sudo apt-get install' (which is not listed in the recommended sudoers), this elevates risk: either the installer will need to expand sudoers (increasing privilege), or planned installs will silently fail. The skill does not attempt to modify other skills' configurations directly in the code shown, but it does intend to auto-update OpenClaw skills (clawhub) which means it can change other skill state when run.