critical
suspicious.dangerous_exec
- Location
- scripts/backup.js:65
- Finding
- Shell command execution detected (child_process).
Openclaw Backup Optimized
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
A backup may include sensitive agent state and private workspace data, and that state may later be restored or reused.
Why it was flagged
The script explicitly treats OpenClaw config, memory, and workspace as backup content, excluding only a few noisy session files. Those areas can contain private prompts, agent memory, account configuration, or project data.
Skill content
const comment = 'Backup OK. Full snapshot (config + memory + workspace) to minimize recovery time. Excluded .jsonl.lock and .jsonl.deleted.* session files to reduce noise.';
Recommendation
Review the backup contents before enabling automation, add exclusions for secrets/sessions/tokens, and use encryption or a private dedicated repository for any remote backup.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A misconfigured backup directory could delete local data, and a configured remote could have its main branch overwritten by the backup job.
Why it was flagged
The workflow recursively removes the configured backup directory during sync and force-pushes the configured Git remote. These are high-impact operations without visible path-safety checks or overwrite warnings.
Skill content
await fsp.rm(dest, { recursive: true, force: true }); ... git(['push', '-u', 'origin', 'main', '--force'], OPENCLAW_BACKUP_DIR);Recommendation
Add safeguards that refuse unsafe paths, avoid `--force` by default, use a dedicated private backup repo/branch, and require explicit confirmation before first remote push.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
Backups and remote pushes can continue automatically after setup, including after configuration mistakes.
Why it was flagged
The skill documents creating a persistent scheduled job. This is expected for automated backups, but it means the script will keep running in the gateway environment until disabled.
Skill content
--cron "0 5,10,15,20 * * *" --exec "node ~/.openclaw/workspace/tools/openclaw-backup.js"
Recommendation
Enable cron only after testing manually, document how to remove the cron job, and monitor backup logs/notifications.
NoteMedium Confidence
ASI03: Identity and Privilege AbuseWhat this means
The job can post backup notifications to the configured Discord channel using whatever local OpenClaw permissions are available.
Why it was flagged
The script uses the local OpenClaw account's Discord messaging authority for notifications. This is disclosed and purpose-aligned, but registry metadata declares no credentials or env vars.
Skill content
spawnSync('openclaw', ['message', 'send', '--channel', 'discord', '--target', BACKUP_CHANNEL_ID, '--message', payload]Recommendation
Use least-privilege OpenClaw/Discord access and declare the required env vars and account authorities in metadata.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
A future install could resolve newer dependency versions than the author tested.
Why it was flagged
The script depends on external packages using semver ranges, and no lockfile or install spec is provided in the artifacts.
Skill content
"dependencies": { "minimatch": "^9.0.5", "tar": "^6.2.1" }Recommendation
Pin dependencies with a lockfile and provide an explicit install specification for Node, git, and npm package setup.