Back to skill

Security audit

Openclaw Backup Optimized

Security checks across malware telemetry and agentic risk

Overview

This backup skill appears purpose-aligned, but it can copy sensitive OpenClaw data to a configured remote repository and force-push it without enough safety controls or disclosure.

Install only if you trust the publisher and are prepared for the entire ~/.openclaw backup to be sent to the configured Git remote. Use a private repository, review what is included before first run, avoid sensitive tokens in backed-up files where possible, and be careful with BACKUP_REPO_URL because the script reportedly uses git push --force.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs users to set and rely on multiple environment variables and to run backup automation, but it does not declare corresponding permissions or clearly scope that capability. Undeclared env access weakens reviewability and can hide the fact that the skill may read sensitive paths, repository destinations, or other inherited secrets from the execution environment.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description and trigger language are broad enough to match generic backup, automation, snapshot, restore, and GitHub-backup tasks, which can cause the skill to activate in contexts the user did not specifically intend. For a backup skill that can copy local state and publish artifacts remotely, accidental invocation increases the chance of unintended data collection, execution, or transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes snapshots, GitHub backup repositories, and Discord notifications but does not clearly warn that backup contents may be transmitted to remote destinations or exposed through notifications and published repositories. In this context, the archived `~/.openclaw` directory and workspace data may contain sensitive configuration, tokens, logs, or user content, making insufficient disclosure materially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally force-pushes the entire backup repository to whatever URL is supplied in BACKUP_REPO_URL, with no confirmation, allowlist, or safety checks. Because this backup contains full OpenClaw state including config, memory, and workspace snapshots, a misconfigured or attacker-controlled remote can cause large-scale exfiltration of sensitive data and overwrite remote history, making this more dangerous in a backup automation context.

Known Vulnerable Dependency: minimatch==9.0.5 — 3 advisory(ies): CVE-2026-27904 (minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regu); CVE-2026-26996 (minimatch has a ReDoS via repeated wildcards with non-matching literal in patter); CVE-2026-27903 (minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adja)

High
Category
Supply Chain
Confidence
98% confidence
Finding
minimatch==9.0.5

Known Vulnerable Dependency: tar==6.2.1 — 7 advisory(ies): CVE-2026-24842 (node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Trave); CVE-2026-26960 (Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no); CVE-2026-23745 (node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Ins) +4 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
tar==6.2.1

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/backup.js:65