ClawHub

OpenClaw Backup Automation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw backup tool, but it needs review because restore and git-sync behavior can overwrite or expose local state if misused.

Review or patch the restore command before installing; it should validate backup names and avoid shell-string exec. Keep credential backup disabled unless archives are protected, enable git sync only with a trusted private remote after checking what will be pushed, and restore only from verified backups after taking a fresh backup of current state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill advertises operational commands that can interact with backups, restore state, scheduling, and optional credential handling, but the metadata declares no required permissions. This creates a mismatch between the skill's stated capabilities and its declared trust boundary, which can mislead operators and any permission-gating system about what the skill may access or modify.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script can automatically commit and push workspace contents to a remote repository when an opt-in flag is enabled. In the context of a backup tool, this broadens data exfiltration risk because backed-up workspace content may contain sensitive prompts, memory, agent definitions, or accidentally committed secrets, and the code performs no repository allowlisting, branch validation, or content filtering.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list includes broad everyday terms like "save" and "export," which are likely to appear in unrelated conversations. That can cause unintended invocation of backup behavior or backup-oriented suggestions in contexts where the user did not intend system-wide backup operations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The first-use suggestion logic is keyed off ambiguous phrases like "backup" or "save my config" without requiring confirmation that the user wants this specific skill or instance-wide action. In an agent environment, ambiguous activation cues can lead to unsolicited operational guidance or accidental initiation of persistence-related workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The restore instructions include destructive operations such as deleting an agent and extracting archives with overwrite semantics, but they do not prominently warn that existing state may be replaced or lost. A user following these commands could unintentionally destroy current data or restore stale or malicious content over a live installation.

VirusTotal

No VirusTotal findings

View on VirusTotal