Skillv1.0.5

ClawScan security

Avenger Initiative · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 12:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a GitHub-backed encrypted backup tool, but there are a few implementation and scope choices (notably a token-in-URL clone in setup, broad plaintext backup of many workspace files, and an automatic backup trigger) that are inconsistent or could lead to unintended credential exposure — review before installing.
Guidance: This skill appears to implement the advertised encrypted GitHub backup/restore flow, but review and consider the following before installing: - Inspect setup.sh: it calls 'gh auth token' and injects the token into an HTTPS clone URL (https://${GH_TOKEN}@...). That pattern can leak tokens in some environments; prefer 'gh repo clone' or remove token-in-URL behavior. - Confirm the vault repo is private and you control it; enable 2FA and secret scanning on the account that owns the vault. - Store the generated encryption key securely (the skill prints it and asks you to save it). If you lose the key, backups are irrecoverable; if the key is leaked, encrypted secrets can be decrypted. - Understand what the scripts copy: memory logs, custom skills, and other plaintext files are included. Verify those files don't contain additional secrets you don't want in the repo. - Be aware the setup writes a cron job to run backups automatically and the skill may auto-run after config changes. If you want manual control, skip the cron insertion or remove the job. - As a precaution, run setup and the first backup in a non-production environment to verify behavior. Consider auditing/grepping your workspace for stray credentials before allowing automatic backups. If you want, I can highlight the exact lines in setup.sh that embed the token and show a safer replacement, or produce a checklist of items to audit in your workspace before installing.
Findings: [openssl-enc] expected: The scripts use openssl enc -aes-256-cbc to encrypt openclaw.json before pushing — this is expected and appropriate for the stated purpose. Heuristic scanners often flag encryption operations though they are benign here. [git-push] expected: The backup commits and pushes to the user's vault repo; git push is expected for this skill's purpose. [gh-auth-token-usage] expected: Using the GitHub CLI to verify authentication and to clone via 'gh' is expected. However, how the token is used in setup.sh (see next finding) matters. [token-in-url-clone] unexpected: setup.sh constructs a clone URL that embeds GH_TOKEN (https://${GH_TOKEN}@...), which is unnecessary and riskier than using 'gh repo clone'. The changelog even references moving away from token-in-URL clones, yet setup.sh still performs it. This inconsistency raises a moderate risk of accidental token disclosure (process args, .git/config, or logs). [reads-local-credentials] expected: Scripts read ~/.openclaw/credentials/avenger.key and avenger-config.json — expected because the skill stores a local encryption key and repo config there. [cron-modification] expected: setup.sh injects a job into the OpenClaw cron jobs.json to schedule nightly backups. This is consistent with the skill but gives it persistent automatic execution rights; users should be aware.

Review Dimensions

Purpose & Capability: okName/description (encrypted GitHub backup/restore) align with the included scripts and runtime instructions: the scripts encrypt openclaw.json and push a snapshot to a user-provided private GitHub repo using the GitHub CLI. Required capabilities (gh, git, openssl) are reasonable and expected for this functionality.
Instruction Scope: noteSKILL.md and the scripts keep scope to backup/restore operations, but the skill will copy many workspace files, agent workspaces, custom skills, and memory logs (plaintext) into the vault. It also auto-adds a cron job entry so backups can run silently after config changes. Backing up all custom skills and memory logs is functionally justified for a full restore, but this expands the data surface (these files can accidentally contain secrets). The SKILL.md claim that only openclaw.json contains secrets is an assumption that may not hold on all deployments.
Install Mechanism: okNo external install step is declared (instruction-only), and scripts are plain Bash included in the package. There is no download-from-untrusted-URL or binary execution beyond system tools (git, gh, openssl). This is low risk compared to code that downloads and executes remote artifacts.
Credentials: concernThe package requests no extra environment variables, which is appropriate. However, setup.sh calls 'gh auth token' and then injects that token into an HTTPS URL used for git clone (REPO_URL contains https://${GH_TOKEN}@...), which is unnecessary (other scripts correctly use 'gh repo clone') and increases the chance of token leakage (e.g., in process args, local .git config during clone, or unexpected logging). The scripts read local key files under ~/.openclaw/credentials (expected) but also copy any workspace content and custom-skill scripts — which may contain sensitive strings in some deployments. The overall set of file accesses is proportional to a full-system backup but does widen the data surface compared to a minimal secrets-only backup.
Persistence & Privilege: notealways:false and user-invocable:true are reasonable. The skill modifies the OpenClaw cron jobs.json to schedule nightly backups and can auto-run after 'critical config change' (per SKILL.md). Modifying the agent's cron configuration is expected for scheduled backups, but users should be aware backups may run automatically and silently (pushing data to the configured GitHub vault) unless they opt out.