critical
suspicious.dangerous_exec
- Location
- clawclone.mjs:1865
- Finding
- Shell command execution detected (child_process).
OpenClaw backup and synchronization tool - Pack, upload, download, and restore. Save the Soul of your OpenClaw.
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A cloud or shared backup could expose credentials or restore someone else’s tokens into an OpenClaw instance.
Why it was flagged
The skill explicitly says backups may include API keys/tokens and preserve gateway tokens, but does not clearly bound which credentials are included, how they are encrypted, or how they are protected when uploaded or shared.
Skill content
| Config | Optional: API keys and tokens (if configured) | ... Gateway tokens are preserved by default
Recommendation
Do not upload or share backups containing secrets unless you have verified encryption, access controls, and token exclusions; rotate exposed tokens after testing or sharing.
What this means
A restored or shared snapshot could leak private memory or install altered skills/settings that change how the agent behaves later.
Why it was flagged
The skill handles persistent agent memory and behavior-defining files, which can carry private data or instructions that influence future agent behavior.
Skill content
restore complete OpenClaw state including memory, skills, agents, and settings
Recommendation
Inspect backups with --test, review MEMORY.md/skills/settings before restore, and only clone from trusted backups or share tokens.
What this means
Running the wrong command or using the wrong backup could overwrite local configuration, skills, memory, or cloud backups.
Why it was flagged
The requested permissions match a backup/restore tool, but they give the command broad authority over the OpenClaw workspace and network destinations.
Skill content
permissions:\n - read: ~/.openclaw/\n - write: ~/.openclaw/\n - network: https
Recommendation
Use --test before clone/import, require explicit confirmation for restore/delete/share actions, and keep separate safe backups.
Concern
ASI08: Cascading FailuresWhat this means
A bad, outdated, poisoned, or over-privileged snapshot could spread to multiple agents or team members.
Why it was flagged
Shared backups can propagate complete OpenClaw configurations, memory, skills, and possibly tokens across users or instances.
Skill content
Team members can clone from the share link
Recommendation
Treat share tokens like secrets, verify snapshots before distributing them, and publish sanitized templates instead of full personal workspaces.
What this means
A bundled hardcoded secret or unexplained credential path could affect the security of cloud interactions or indicate code that needs manual review.
Why it was flagged
The scanner reports a hardcoded secret-like value in the bundled executable, and the visible artifact context does not explain why a backup tool needs it.
Skill content
Static scan: suspicious.exposed_secret_literal at clawclone.mjs:26688 ... const password = [REDACTED] || "";
Recommendation
Inspect the reported line and surrounding code before use; the publisher should remove hardcoded secrets or document any benign test/default credential clearly.
Findings (3)
critical
suspicious.env_credential_access
- Location
- clawclone.mjs:3668
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- clawclone.mjs:26688
- Finding
- File appears to expose a hardcoded API secret or token.