v1.0.5

OpenClaw Checkpoint - Personal AI Assistant Backup & Recovery (Github)

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

This backup skill is coherent in purpose, but it should be reviewed carefully because it relies on remote unpinned installer scripts, understates its file-system scope, and includes a destructive delete command while handling sensitive OpenClaw memory and GitHub access.

GuidanceInstall only if you are comfortable reviewing and trusting the external GitHub scripts, using a private repository, and granting GitHub authentication for your backup. Avoid the pipe-to-bash quick install unless you inspect or pin it first, confirm destructive restore/reset actions before running them, and verify any scheduled backup jobs you enable.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

INSTALL.md

curl -fsSL https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh | bash

The installation path executes a remote script from the mutable main branch, while the reviewed package contains no helper scripts or install spec; those external scripts would control sensitive backup and restore behavior.

User impactA changed or compromised remote installer could run arbitrary commands as the user and access the OpenClaw state being backed up or restored.

RecommendationAvoid pipe-to-bash installs; inspect the installer first, pin to a reviewed commit, and prefer a package that includes the actual scripts in the reviewed artifact.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

macOS: Creates a launchd plist at `~/Library/LaunchAgents/com.openclaw.checkpoint.plist` ... **File access scope**: The skill only reads and writes within `~/.openclaw/workspace`. It does not access files outside this directory.

The documentation claims no file access outside the workspace while also describing a scheduler write outside that directory; other artifact text also describes backing up agent folders from ~/.openclaw/agents.

User impactUsers may underestimate the local files and persistent configuration this skill touches.

RecommendationTreat the skill as having access to OpenClaw workspace data, agent folders, and user-level scheduler configuration; the publisher should correct the scope statement.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

rm -rf ~/.openclaw/workspace/agents

The static scan found a destructive recursive delete command in the skill documentation without an explicit confirmation gate.

User impactRunning the command as written could remove backed-up agent files from the OpenClaw workspace.

RecommendationRequire an explicit user confirmation, show the exact path to be deleted, and recommend making a separate backup before destructive cleanup.

Rogue Agents

SeverityLowConfidenceHighStatusNote

README.md

macOS: Creates a launchd plist at `~/Library/LaunchAgents/com.openclaw.checkpoint.plist`
- **Linux**: Adds a user-level cron job ... Auto-backup is **opt-in only**

The skill can create recurring background backup jobs under the user's account; this is disclosed as opt-in, but it is persistent behavior.

User impactBackups may continue to run on a schedule after setup and continue pushing updated OpenClaw state to GitHub.

RecommendationEnable scheduling only if desired, inspect crontab or LaunchAgents after setup, and use checkpoint-stop or checkpoint-schedule disable when no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

README.md

- SSH key or GitHub Personal Access Token
- A **private** GitHub repository for storing backups

GitHub authentication is expected for a GitHub backup tool, but it grants access to the repository containing the user's OpenClaw state.

User impactA broad token or misconfigured repository could expose or allow modification of backups.

RecommendationUse a private repository and the least-privileged authentication method available, and avoid broad personal access token scopes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

README.md

Your backup contains personal data:
- Agent identity and personality
- Conversation history and memories
- Personal notes and configurations

The skill intentionally stores and restores persistent identity, memory, and configuration data that can influence future agent behavior.

User impactSensitive history may be stored remotely, and restoring an unwanted or tampered backup could reintroduce bad instructions or stale memories.

RecommendationKeep the repository private, review backup contents before sharing or restoring, and restore only from repositories and commits you trust.