MyOpenClaw Backup Restore
Security checks across malware telemetry and agentic risk
Overview
The backup/restore purpose is clear, but this skill handles credential-filled OpenClaw archives and has unsafe shell and token-handling patterns that should be reviewed before use.
Install only if you need full OpenClaw backup/restore and trust the publisher. Store backups encrypted, do not expose the HTTP server outside trusted networks, avoid putting the server token in shell history or URLs, use dry-run before restore, and restore only trusted archives with safe filenames.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named archive or output path could cause unintended local commands to run during backup or restore.
Backup and restore paths are placed inside shell command strings rather than passed as argument arrays. Because the skill documents user-supplied restore archives and output directories, crafted path names could affect local shell execution.
execSync(`tar -czf "${archivePath}" -C "${parentDir}" "${dirName}"`, { stdio: 'ignore' }); ... execSync(`tar -xzf "${archivePath}" -C "${destDir}"`, { stdio: 'ignore' });Use execFile/spawn with argument arrays, strictly validate archive/output paths and generated filenames, and avoid restoring or operating on archives with untrusted or unusual filenames.
Shell history, process listings, browser history, or copied URLs could expose the server token, allowing access to sensitive backup archives if the server is reachable.
The token that gates access to backup archives is shown in process arguments and URL query strings, while the archives themselves contain high-value credentials.
node scripts/server.js --token <secret> [--port 7373] ... Web UI at `http://localhost:<port>/?token=<token>` ... Archives contain bot tokens, API keys, and credentials.
Prefer an environment variable or secret manager for the token, use Authorization headers instead of query strings where possible, bind or firewall the server to trusted interfaces, and rotate any exposed token.
If exposed beyond a trusted network, the server can become a path to retrieve credential-bearing backups or stage untrusted archives.
The remote HTTP interface is disclosed and token-protected, but it can still list, upload, and download archives that contain credentials.
- Remote: list, download, upload only - Localhost: backup, restore (shell execution restricted to localhost) ... Archives contain bot tokens, API keys, and credentials.
Use the HTTP server only on localhost, a VPN, SSH tunnel, or another trusted encrypted channel; stop it when done and verify uploaded archives before restore.
Restoring an untrusted archive could change the agent's future behavior, remembered facts, or context used in later tasks.
The backup intentionally preserves persistent agent memory, persona/user files, session history, and memory indexes.
Workspace ... MEMORY.md, SOUL.md, USER.md ... Session history ... Full conversation history (.jsonl) ... Memory index ... QMD memory search index
Restore only archives you trust, use dry-run first, and inspect or diff workspace and memory files before applying a restore from another machine or person.
It is harder to verify provenance for a skill that can read, write, and restore the user's full OpenClaw state.
The registry owner/version and packaged _meta.json owner/version do not match, and no source or homepage is provided.
Registry metadata: Owner ID kn761rne5jajzfg0d8h6nge4hh8220cq, Version 3.0.2, Source: unknown, Homepage: none; _meta.json: ownerId kn7fymx2je994eh44j51che37s824w29, version 3.0.0
Verify the publisher and package source before installation, and prefer a release with consistent metadata and an auditable source repository.
A restored backup can re-enable old scheduled actions, watchdog behavior, or helper scripts that continue operating after the immediate restore task.
The restore scope includes scheduled tasks and guardian/watchdog scripts that can keep OpenClaw behavior running after the restore.
Cron jobs ... Scheduled tasks ... Scripts | `guardian.sh`, `gw-watchdog.sh`, `start-gateway.sh` | Auto-restart and guardian logic
Review cron and guardian/watchdog files in the archive, especially when migrating from another machine, and disable anything unexpected after restore.