ClawHub

Claw Sync

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw backup/sync skill, but it handles sensitive memory, custom skill code, Git credentials, force-pushes, restores executable skills, and can set up recurring sync with too little containment.

Install only if you are comfortable backing up OpenClaw memory, profile files, rules, daily logs, and custom skills to a private Git repository. Use a fine-grained token limited to one empty private backup repo, inspect /sync --dry-run output, avoid --force restores, review the backup before restoring skills, and enable the 12-hour auto-sync only if recurring uploads are intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior does not fully match the reported code capabilities: auto-sync/cron setup, extra version-listing aliases, and syncing/restoring custom skills materially expand the attack surface beyond a simple memory backup tool. Hidden or under-disclosed behaviors are dangerous because users may authorize a 'secure sync' skill without realizing it can persist scheduled jobs or overwrite executable skill content, enabling stealthy persistence or supply-chain style compromise.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill exposes a hidden setup/cron capability that is not reflected in the documented or declared feature set. Undocumented system-modifying functionality increases risk because users and reviewers may invoke or ship the skill without realizing it can establish persistence or scheduled execution on the host.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The header claims only sync, restore, status, and list commands, but the code also implements setup/cron. This documentation mismatch can conceal privileged behavior from users and auditors, which is a security concern because it reduces informed consent and makes review less likely to catch persistence-related actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script restores `workspace/skills` from the backup repository even though the skill metadata describes syncing memory and workspace state, creating a supply-chain style risk where remote backup contents can replace or introduce executable/local agent skills. Because restored skills are copied recursively with `fs.cpSync` and no content validation, a compromised backup repo or token could silently plant code that later runs in the local agent environment.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script recursively copies every custom skill directory into the backup, which can include code, embedded secrets, test artifacts, or unrelated local data beyond the user's expected memory/workspace state. In a sync tool, this broad collection increases the chance of unintentionally exfiltrating sensitive material to a remote repository.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The script writes hostname and platform into SYNC_METADATA.json before pushing it remotely. While not a direct exploit primitive, this creates unnecessary device fingerprinting data that can reveal host identity and environment details if the repository is shared, leaked, or compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes hidden functionality (`setup`/`cron`) that is not described in the stated skill interface, creating a discrepancy between advertised and actual capabilities. In a security-sensitive sync tool, undeclared system-modifying behavior increases the risk of surprise persistence or background execution, especially if users or higher-level agents assume only sync/restore/status actions exist.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The file header and usage documentation omit the implemented `setup`/`cron` behavior, which misrepresents the skill's true capabilities. While this is primarily a transparency and trust issue rather than direct code execution risk, incomplete documentation around privileged or persistence-related features can mislead users and reviewers and conceal risky functionality.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The restore flow copies entire skill directories from a remote backup repository into the local skills path, replacing existing code without any integrity verification, review gate, or content restrictions. Because skills are executable/operational code, a compromised repo, stolen token, or malicious backup can turn a data restore operation into remote code deployment.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script claims to sync OpenClaw memory/workspace, but it also recursively copies all custom skills and pushes them to a remote repository. That can unintentionally exfiltrate proprietary code, embedded secrets, or unsafe agent content from the local workspace beyond what a user may reasonably expect from the description.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The restore documentation does not clearly warn that restoring can overwrite local memory and skills, which can lead to destructive data loss or replacement of trusted local skill code with remote content. This is especially sensitive here because the skill restores both user data and executable/custom skills, so an unsuspecting user could import malicious or outdated content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises 'secure sync' and documents '/sync' without a prominent warning that it uploads memory and workspace content to a remote repository. Because the synced set includes files like MEMORY.md, USER.md, SOUL.md, AGENTS.md, and custom skills, users may disclose sensitive prompts, personal data, operational details, or proprietary content without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The /restore documentation does not clearly warn that restoring can overwrite local memory and workspace state, and that '--force' suppresses safeguards. This can cause destructive loss of local changes, corruption of agent state, or restoration of untrusted remote content into active skill/workspace files.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The auto-sync setup path immediately launches a subprocess for cron configuration with no visible warning or confirmation in this file. Because cron setup changes host configuration and can create recurring execution, lack of a user-facing warning makes accidental persistence more likely and weakens trust boundaries for a sync utility.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script force-pushes HEAD to main, which can overwrite remote history and destroy existing repository contents without an explicit confirmation step. In the context of an automated backup skill, this is especially risky because a misconfigured repository or mistaken invocation can cause irreversible data loss on the destination.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The `setup`/`cron` path immediately launches a subordinate script for auto-sync setup without any user-facing warning, consent prompt, or preview of the system changes involved. Because cron or scheduled-task setup can establish persistence and alter host behavior, the lack of explicit notice is unsafe in the context of a tool marketed as a secure sync utility.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup Required

Create `~/.openclaw/.backup.env`:
```
BACKUP_REPO=https://github.com/username/your-repo
BACKUP_TOKEN=ghp_your_token
Confidence
88% confidence
Finding
Create `~/.openclaw

Tool Parameter Abuse

High
Category
Tool Misuse
Content
safeExec(`git commit -m "${commitMsg}"`, { stdio: 'ignore' });

    // Push to main
    safeExec(`git push ${repoUrl} HEAD:main --force`, { stdio: 'pipe' });

    // Create version tag
    safeExec(`git tag ${tagName}`, { stdio: 'ignore' });
Confidence
97% confidence
Finding
git push ${repoUrl} HEAD:main --force

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal