OpenClaw Checkpoint - Personal AI Assistant Backup & Recovery (Github)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw backup-and-restore skill, but it needs review because installation and scope disclosures are too broad or unclear for the level of access involved.

Review the GitHub installer and scripts before installing, preferably avoid the curl-to-bash path, and use a private repository with narrowly scoped GitHub authentication. Confirm exactly which workspace, agent, scheduler, and restore paths will be touched before enabling automatic backups or running restore/reset commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The quick-install command downloads a remote script and immediately executes it with bash, giving the remote content full code-execution on the user's machine at install time. Even though the text suggests reviewing it first, the documented default path is still unsafe because any repository compromise, MITM at the content source, or malicious update would execute immediately.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The README states that file access is limited to ~/.openclaw/workspace, but elsewhere documents writing a launchd plist under ~/Library/LaunchAgents and modifying user cron. This is a security-relevant documentation mismatch because users may grant trust based on an inaccurate scope statement and fail to understand that persistence artifacts are created outside the workspace.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions normalize piping a fetched script directly into a shell without a strong, front-loaded warning about the security implications. The follow-up note to review it first is weak because the example itself encourages immediate execution and many users will copy-paste it verbatim.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The restore flow is described as allowing checkpoint selection and restore, but it does not clearly warn that restoring can overwrite the current workspace state. In a backup/rollback tool, lack of an explicit overwrite warning increases the risk of accidental destructive actions and data loss, especially when restoring older checkpoints.

External Script Fetching

Low

Category: Supply Chain
Content: ## Quick Install ```bash curl -fsSL https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh | bash ``` This runs the install script -- review it first if you prefer to inspect before executing.
Confidence: 95% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ## Quick Install ```bash curl -fsSL https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh | bash ``` This runs the install script -- review it first if you prefer to inspect before executing.
Confidence: 99% confidence
Finding: | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal