Back to skill

Security audit

Claw Sync

Security checks across malware telemetry and agentic risk

Overview

This is a real backup/sync skill, but it handles sensitive OpenClaw data and credentials with risky restore, force-push, and optional recurring-sync behavior.

Install only if you are comfortable uploading OpenClaw memory, profile/rules files, daily logs, and custom skills to a private Git repository. Use an empty dedicated private repo, a fine-grained token limited to that repo, restrictive permissions on ~/.openclaw/.backup.env, and review /sync --dry-run before syncing. Avoid /restore --force unless you have separately backed up your skills, and enable the 12-hour auto-sync only if recurring uploads are intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation declares commands that execute Node.js code and requires environment-based secrets in ~/.openclaw/.backup.env, yet no permissions are declared. This creates a transparency and trust problem: users may run a skill with access to sensitive environment/config data without an explicit permission boundary or warning, increasing the chance of unintended secret exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior presents the skill as a manual sync/restore tool, but the static analysis indicates additional cron-based auto-sync setup and scheduled execution every 12 hours. Hidden persistence or automation materially changes the security posture because it can cause ongoing data exfiltration, unexpected repository writes, or repeated secret handling without informed user consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The command dispatcher exposes `setup`/`cron` functionality that is not described in the advertised skill interface, creating hidden capability beyond the documented sync/restore/status scope. Undocumented privileged behaviors are dangerous because users and higher-level policy layers may not anticipate that invoking the skill can modify system scheduling or persistence-related settings.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing the skill to invoke `setup-cron.js` gives it the ability to establish cron-based automation, which can create persistence and repeated execution on the host. In the context of a sync utility, this expands the trust boundary significantly: a user expecting on-demand backup commands may instead enable background scheduled actions that continue running after the original invocation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script copies every custom skill directory under ~/.openclaw/workspace/skills into the backup, while the described scope emphasizes memory and workspace sync without clearly highlighting that full skill contents are included. Skills can contain code, secrets, prompts, or embedded tooling, so this broadens the data exfiltration surface beyond what a user may reasonably expect from the manifest.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The push operation uses 'git push ... --force' to overwrite the remote main branch, which is materially more destructive than an ordinary push and is not clearly disclosed by the manifest wording. If run against an existing repository, it can irreversibly replace history, destroy unrelated content, or wipe prior backups unless other recovery controls exist.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The entrypoint exposes functionality beyond what the manifest/description advertises, specifically backup listing and auto-sync setup. Hidden or undeclared capabilities reduce transparency and can bypass user or platform expectations about what the skill is allowed to do; in a sync tool, auto-sync setup is especially sensitive because it can create persistence or scheduled data movement.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The code implements setup/cron commands that are omitted from the top-level documentation, creating a mismatch between documented and actual behavior. While this file does not itself execute dangerous shell input, undocumented scheduling functionality in a backup/sync skill can mislead reviewers and users about persistence-related actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes syncing memory and workspace, but the restore logic also replaces entire skill directories from the remote backup. This expands the trust boundary from passive data restoration to code/content deployment, allowing a compromised backup repository or malicious backup content to introduce or overwrite executable skills that may later run in the local environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script copies the entire `workspace/skills` tree into the backup, which can include arbitrary custom code, prompts, embedded secrets, or third-party material beyond the narrower 'memory/workspace sync' expectation. This broad collection scope increases the chance of unintentionally exfiltrating sensitive or high-risk content to the remote repository.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The script writes `hostname` and `platform` into `SYNC_METADATA.json`, which creates unnecessary host-identifying metadata in every backup. While low severity, this can aid fingerprinting and leak environment details unrelated to basic backup functionality.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents a restore capability that overwrites local memory and skill files, but it does not prominently warn users about the destructive nature of restore operations or the scope of files that may be replaced. In a backup/restore skill, this creates a realistic risk of accidental data loss or restoration of untrusted remote content into active workspace files, especially because the synced set includes custom skills.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The restore documentation explains usage but does not prominently warn that restore overwrites local memory and skills, and it advertises a --force flag that skips confirmation. In a skill that manages critical workspace state, insufficient warning raises the risk of destructive user actions, accidental rollback to attacker-controlled content, or loss of local changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly syncs highly sensitive agent and workspace data such as MEMORY.md, USER.md, SOUL.md, IDENTITY.md, AGENTS.md, daily logs, and custom skills to a remote repository, but the documentation does not prominently warn users about the privacy and security implications of uploading this data off-host. Even if the repository is intended to be private, remote compromise, misconfiguration, accidental sharing, or token leakage could expose sensitive personal or operational information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /restore documentation describes restoring from remote and includes a --force option, but it does not clearly warn that restore will overwrite local files in the OpenClaw workspace. This increases the risk of accidental destructive actions, especially if a user restores the wrong version or uses --force without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Using `git push ... --force` can overwrite remote history and destroy prior state without an explicit warning, confirmation, or safer conflict handling. In a backup tool, this is especially risky because it can silently replace the very history users rely on for recovery.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| `/restore` | Restore latest version |
| `/restore latest` | Same as above |
| `/restore backup-20260202-1430` | Restore specific version |
| `/restore --force` | Skip confirmation |
| `/sync-list` | List all available versions |
| `/sync-status` | Show config and local backups |
Confidence
82% confidence
Finding
Skip confirmation

Credential Access

High
Category
Privilege Escalation
Content
// Load env
function loadEnv() {
  const envFile = path.join(OPENCLAW_DIR, '.backup.env');
  if (fs.existsSync(envFile)) {
    const content = fs.readFileSync(envFile, 'utf8');
    content.split('\n').forEach(line => {
Confidence
87% confidence
Finding
.env'

Tool Parameter Abuse

High
Category
Tool Misuse
Content
safeExec(`git commit -m "${commitMsg}"`, { stdio: 'ignore' });

    // Push to main
    safeExec(`git push ${repoUrl} HEAD:main --force`, { stdio: 'pipe' });

    // Create version tag
    safeExec(`git tag ${tagName}`, { stdio: 'ignore' });
Confidence
99% confidence
Finding
git push ${repoUrl} HEAD:main --force

Tool Parameter Abuse

High
Category
Tool Misuse
Content
safeExec(`git commit -m "${commitMsg}"`, { stdio: 'ignore' });

    // Push to main
    safeExec(`git push ${repoUrl} HEAD:main --force`, { stdio: 'pipe' });

    // Create version tag
    safeExec(`git tag ${tagName}`, { stdio: 'ignore' });
Confidence
94% confidence
Finding
git push ${repoUrl} HEAD:main --force

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
claw-sync/index.js:53

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
claw-sync/scripts/pull.js:111

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
claw-sync/scripts/push.js:140

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:53

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/pull.js:111

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/push.js:140