ClawHub

openclaw-backup-restore

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate OpenClaw backup tool, but it creates portable archives containing credentials and session data by default without strong enough handling safeguards.

Install only if you intentionally want a full-fidelity backup that includes secrets and login/session material. Use GPG encryption for every backup before moving it off the machine, avoid unencrypted cloud or removable-media storage, restrict file permissions, and rotate credentials if an archive may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states that backups include credentials, secrets, memory, and workspace, but it does not prominently warn users that the archive is highly sensitive or that restoring/transferring it creates confidentiality risk. In a backup/restore skill, omission of handling guidance materially increases the chance that users will store or transmit secret-bearing archives insecurely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The migration guidance tells users to copy the archive via USB, cloud, or SCP without emphasizing that the archive may contain credentials and other secrets, nor requiring encryption before transport. This can lead to accidental exposure through lost media, misconfigured cloud storage, or compromised transfer endpoints.

Session Persistence

Medium
Category
Rogue Agent
Content
## Usage examples

```bash
# Create a backup in ~/openclaw-backups/
bash scripts/backup.sh

# Backup to a custom directory
Confidence
84% confidence
Finding
Create a backup in ~/openclaw-backups/ bash scripts/backup.sh # Backup to a custom directory bash scripts/backup.sh --output /Volumes/USB/backups # Backup with GPG encryption bash scripts/backup.sh

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal