Reolink Remote Backup
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: reolink-remote-backup Version: 0.3.0 The skill bundle provides a legitimate and well-structured set of scripts for setting up a Reolink camera backup relay via a VPS. The scripts (setup_local_pull.sh, setup_vps_vsftpd.sh, and setup_vps_retention.sh) include robust input validation, use secure transport (FTPS and SSH/rsync), and follow security best practices such as principle of least privilege for the FTP user. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a wrong or malicious path is supplied, the script could change ownership or permissions on important VPS directories and break or expose the system.
A root-run script accepts an optional FTP root path and recursively changes ownership and permissions without validating that the path is safe or under /srv/reolink.
FTP_ROOT="${2:-/srv/reolink}" ... chown -R "$FTP_USER:$FTP_USER" "$FTP_ROOT" ... chmod 755 "$FTP_ROOT"Use the default path only unless the script is changed to validate the real path, reject system directories such as /, /etc, /usr, and /var, and require explicit confirmation before recursive changes.
A malformed retention value could install an unintended root cron job or cause unsafe deletion behavior.
The retention value is inserted directly into a cron command with no numeric validation, so shell metacharacters or cron separators in the argument could become a persistent root-scheduled command.
DAYS="${1:-30}" ... echo "30 3 * * * find /srv/reolink/incoming -type f -mtime +${DAYS} -delete" ) | crontab -Validate DAYS as a bounded integer before writing crontab entries, inspect `crontab -l` after installation, and run the script only with a simple numeric value such as `30`.
Exposed SSH keys, FTP passwords, or VPS admin access could let someone access or alter backup footage and server configuration.
The setup requires VPS admin access and later uses SSH credentials for the local pull, which is expected for this backup architecture but gives the skill high-impact account authority.
- VPS host/IP and SSH access method ... Run `scripts/setup_vps_vsftpd.sh` on VPS as root.
Use a dedicated VPS, a dedicated SSH key, a restricted non-root backup user, no sudo for the ingest user, and rotate any credential pasted into chat or logs.
The machine will keep connecting to the VPS and moving files on the configured schedule until the timer is disabled.
The local pull is intentionally installed as a persistent systemd user timer that continues running after setup and catches up after downtime.
Persistent=true ... systemctl --user enable --now reolink-pull.timer
Install only on the intended machine and document how to stop it, such as `systemctl --user disable --now reolink-pull.timer`, and remove the retention cron job if the setup is retired.
Users may weaken SSH key restrictions while believing the account is more confined than it is, increasing damage if that key or password is compromised.
The troubleshooting guidance tells users to remove a forced-command SSH restriction and reassures them that the user is home-dir-only, which is not a complete SSH confinement guarantee in the shown setup.
Do **not** use a forced rsync command for this setup. ... sed -i 's|command="rsync[^\"]*",||' /srv/reolink/.ssh/authorized_keys ... The `reolinkftp` user is already restricted (no sudo, home-dir only)
Do not remove forced-command restrictions blindly; replace them with a tested rsync-compatible restriction model, disable SSH password login where possible, and document the actual limits of the reolinkftp account.