OpenClaw backup and synchronization tool - Pack, upload, download, and restore. Save the Soul of your OpenClaw.
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawclone Version: 0.1.5 The skill is designed to exfiltrate the entire OpenClaw environment, including sensitive memory, configurations, and explicitly 'API keys and tokens,' to an external third-party service (https://clawclone.cc). While framed as a backup and migration utility, the broad permissions (read/write access to ~/.openclaw/ and network access) and the explicit focus on credential collection pose a significant security risk. Additionally, the primary execution logic in clawclone.mjs is missing from the provided files, making it impossible to verify if the data is handled securely or if the tool contains hidden malicious behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A cloud or shared backup could expose credentials or restore someone else’s tokens into an OpenClaw instance.
The skill explicitly says backups may include API keys/tokens and preserve gateway tokens, but does not clearly bound which credentials are included, how they are encrypted, or how they are protected when uploaded or shared.
| Config | Optional: API keys and tokens (if configured) | ... Gateway tokens are preserved by default
Do not upload or share backups containing secrets unless you have verified encryption, access controls, and token exclusions; rotate exposed tokens after testing or sharing.
A restored or shared snapshot could leak private memory or install altered skills/settings that change how the agent behaves later.
The skill handles persistent agent memory and behavior-defining files, which can carry private data or instructions that influence future agent behavior.
restore complete OpenClaw state including memory, skills, agents, and settings
Inspect backups with --test, review MEMORY.md/skills/settings before restore, and only clone from trusted backups or share tokens.
Running the wrong command or using the wrong backup could overwrite local configuration, skills, memory, or cloud backups.
The requested permissions match a backup/restore tool, but they give the command broad authority over the OpenClaw workspace and network destinations.
permissions:\n - read: ~/.openclaw/\n - write: ~/.openclaw/\n - network: https
Use --test before clone/import, require explicit confirmation for restore/delete/share actions, and keep separate safe backups.
A bad, outdated, poisoned, or over-privileged snapshot could spread to multiple agents or team members.
Shared backups can propagate complete OpenClaw configurations, memory, skills, and possibly tokens across users or instances.
Team members can clone from the share link
Treat share tokens like secrets, verify snapshots before distributing them, and publish sanitized templates instead of full personal workspaces.
A bundled hardcoded secret or unexplained credential path could affect the security of cloud interactions or indicate code that needs manual review.
The scanner reports a hardcoded secret-like value in the bundled executable, and the visible artifact context does not explain why a backup tool needs it.
Static scan: suspicious.exposed_secret_literal at clawclone.mjs:26688 ... const password = [REDACTED] || "";
Inspect the reported line and surrounding code before use; the publisher should remove hardcoded secrets or document any benign test/default credential clearly.