Oathe Security Badge

Is pfrederiksen/openclaw-update-checker safe?

https://github.com/pfrederiksen/openclaw-update-checker

93
SAFE

This OpenClaw update checker skill performs exactly as advertised - it reads local package.json files to determine the installed OpenClaw version and queries the npm registry to check for updates. The code uses only standard Python libraries and makes no system modifications.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

LOW Network request to npm registry -10

The skill makes an HTTPS GET request to registry.npmjs.org/openclaw to fetch version information, which is expected and legitimate for an update checker.

LOW Executable Python script -5

The skill contains a Python script that executes, but uses only standard library modules and performs read-only operations as claimed.

INFO Read-only behavior confirmed -5

The skill's actual behavior matches its stated purpose - it only reads package.json files and queries npm registry without modifying anything.