Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
VPS Backup
v1.0.0Automated daily VPS backup using restic — backs up OpenClaw workspace, SSH keys, project code, and session transcripts. Configures encrypted incremental snap...
⭐ 0· 28·0 current·0 all-time
byCarina MacInnes@codaire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (VPS backup using restic) matches the included script and docs: it backs up OpenClaw state, project code, SSH keys, and session transcripts. However, the registry metadata declares no required environment variables even though the SKILL.md and script rely on BACKUP_PASSWORD/RESTIC_PASSWORD and optionally RCLONE_DEST; that's an incoherence between declared requirements and actual behavior.
Instruction Scope
Instructions and the script will read and archive highly sensitive data (e.g., ~/.ssh and exported session transcripts) and instruct the user how to push backups offsite via rclone. The docs recommend fetching and running an external export_sessions.py from a GitHub URL — that external script could modify what gets archived or exfiltrate data. The script itself also captures hostname and node version; those are minor but potentially identifying. Overall the scope stays within 'backup' but includes sensitive data and a third-party downloader, which increases risk.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md suggests downloading restic and rclone from their official release pages (GitHub/releases and downloads.rclone.org), which is common practice. No opaque or shortened URLs are used for the primary tools. The only third-party fetch of concern is the session archiver raw GitHub URL referenced in docs/config.md.
Credentials
The skill relies on sensitive environment values (BACKUP_PASSWORD / RESTIC_PASSWORD and optionally RCLONE_DEST) but the registry metadata lists no required env vars; this mismatch is misleading. The backup targets include ~/.ssh and session transcripts — backing these up locally is reasonable for a full backup, but pushing them offsite (via rclone) can expose private keys and chat history if the remote is not fully controlled/trusted. The skill does not declare these env requirements in metadata, which reduces transparency.
Persistence & Privilege
No unusual persistence or elevated privileges are requested (always:false). The script runs as the user, writes into the user's backup directory, and suggests cron scheduling under the user's crontab. Autonomous invocation (disable-model-invocation:false) is normal platform behavior and not by itself concerning here.
What to consider before installing
Before installing or running this skill: (1) Understand sensitivity — it will back up ~/.ssh and exported session transcripts; decide whether you want those included or excluded. (2) Verify and audit export_sessions.py before using it (the docs point to a raw GitHub URL) — don't run an unreviewed downloader that could exfiltrate or modify data. (3) If using offsite push, ensure RCLONE_DEST points to a trusted destination and that access credentials for that remote are handled securely; avoid sending private keys/chat logs to third-party storage. (4) The skill uses BACKUP_PASSWORD/RESTIC_PASSWORD but the registry metadata does not declare these env vars — make sure you securely generate and store the password (as recommended) and confirm where RESTIC_PASSWORD is set. (5) Consider removing ~/.ssh from BACKUP_PATHS or encrypting the repo and limiting remote retention if you don't want private keys backed up. (6) Prefer inspecting the script locally and testing on a non-production VM first. If you want, I can: (a) list exact lines in scripts that touch sensitive files, (b) show what export_sessions.py would be expected to do given its repo, or (c) suggest a safer backup config that excludes secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk9703pa7tjr27ar1mcqds377v9841shf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.