Avenger Initiative

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real backup tool, but it needs review because it can automatically upload broad OpenClaw agent state to GitHub while leaving most of that data plaintext.

Install only if you intentionally want broad OpenClaw backups sent to a dedicated private GitHub vault. Review the plaintext backup contents before first upload, protect the GitHub account and repo, save the encryption key outside chat logs, and disable the nightly cron or silent config-change backup behavior if you do not want ongoing automatic uploads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to execute shell scripts and perform file writes, but it does not declare those capabilities as permissions. That weakens user awareness and policy enforcement around highly sensitive operations like modifying cron jobs, writing credentials/config files, and pushing data to GitHub. In a backup skill that touches secrets and system state, undeclared shell/file access materially increases risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior omits several sensitive actions: storing a GitHub token in a clone URL, printing the encryption key to stdout, modifying cron configuration, initializing remote repository state, and writing audit logs. These mismatches prevent informed consent and hide security-relevant side effects, especially where credentials and persistence are involved. Missing or unimplemented features like status/auto-run further erode trust in the skill's safety model.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The security model claims that non-encrypted files contain no secrets, but the stated backup scope includes memory logs, SOUL/IDENTITY, workspace files, custom skills, and cron definitions. Those artifacts commonly contain credentials, prompts, internal URLs, operational details, or other sensitive data. Backing them up in plaintext to GitHub creates a substantial confidentiality risk if the repo is exposed or accessed by an attacker.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The generated README explicitly tells users that only openclaw.json contains secrets and that everything else is safe plaintext, but the script backs up workspace, memory, identity, SOUL, USER, AGENTS, and skill files unencrypted. In an agent system, those files can contain credentials, prompts, personal data, operational secrets, and recovery material, so the misleading claim materially increases the chance of sensitive data being exposed to the remote GitHub vault.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that only `openclaw.json` is encrypted while agent memories, SOUL/IDENTITY files, cron jobs, and custom skills are stored in plaintext in the private GitHub repository. Although this is disclosed in the security model, the overall marketing language emphasizes 'encrypted backup & restore' and 'everything needed to fully restore from zero,' which can mislead users into assuming the backup set is broadly encrypted when highly sensitive operational data remains exposed to anyone who gains access to the repo.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The phrase 'Also auto-runs after any critical config change' is ambiguous and underspecified, leaving wide discretion for when the skill executes. In practice, that can cause silent transmission of newly changed secrets or configuration to a remote vault without sufficiently clear user intent. Ambiguous autonomous triggers are especially risky in a skill that handles credentials and system backups.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The phrase 'Also auto-runs after any critical config change' is ambiguous and underspecified, leaving wide discretion for when the skill executes. In practice, that can cause silent transmission of newly changed secrets or configuration to a remote vault without sufficiently clear user intent. Ambiguous autonomous triggers are especially risky in a skill that handles credentials and system backups.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: A silent backup after config changes lacks constraints, user visibility, and confirmation requirements. Since config changes often involve tokens, keys, or operational settings, automatic silent backup can exfiltrate sensitive state to GitHub at precisely the moment new secrets are introduced. The silent nature of the trigger makes misuse or accidental activation harder for users to detect.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The backup scope includes memories, identity files, custom skills, and cron definitions, yet the description does not clearly warn that these data will be transmitted to GitHub on routine backups. Users may reasonably assume only encrypted configuration is sensitive, when in fact other uploaded artifacts can reveal secrets or operational intelligence. Inadequate disclosure undermines informed consent for outbound transfer of sensitive data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script copies large amounts of potentially sensitive plaintext data into a GitHub repository, including workspace markdown, memory logs, agent identity files, and custom skills, without an explicit warning or consent gate in the backup flow itself. Even if the repository is intended to be private, this creates unnecessary exposure to GitHub account compromise, misconfiguration, insider access, or later accidental publication.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script retrieves a GitHub auth token and embeds it directly into the clone URL. This is risky because tokens placed in command arguments and URLs can leak via process listings, shell debugging, logs, error messages, or retained Git configuration/remotes inside the temporary clone, exposing repository access credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal