ClawHub

VPS Backup

Security checks across malware telemetry and agentic risk

Overview

This is a transparent VPS backup skill that handles sensitive files by design, so it is acceptable but should be configured carefully.

Install only if you intentionally want full VPS backups that may include SSH keys, OpenClaw memory and session data, chat transcripts, and project code. Before scheduling it, review BACKUP_PATHS and exclusions, protect ~/.backup-password, verify or pin downloaded tools and scripts where possible, and set RCLONE_DEST only to a trusted storage destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs the user to run shell commands, install binaries, configure cron jobs, and invoke local scripts, yet no permissions are declared. That mismatch can cause an agent or reviewer to underestimate the skill's execution capabilities, which is especially risky here because the workflow handles highly sensitive data including SSH keys and session transcripts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not explicitly warn that backups include extremely sensitive material such as SSH private keys, agent state, configs, and human-readable session transcripts, and that these may be copied to offsite storage. Users may enable or reuse this skill without understanding that compromise of the backup repository, password handling, logs, or cloud destination could expose full infrastructure access and sensitive conversations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to fetch a Python script directly from a remote URL with curl and then execute it, without any integrity verification, pinning to a specific commit, signature check, or warning to review the code first. In a backup skill, this is especially dangerous because the downloaded script may process sensitive session transcripts and run in an automated cron context, so a compromised upstream repository or man-in-the-middle path could lead to code execution and exfiltration of secrets.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script can automatically sync the entire local backup set to a remote rclone destination whenever RCLONE_DEST is set, but it provides no explicit confirmation, allowlist, or user-facing warning before transmitting sensitive data off-host. In this skill's context, the backup includes highly sensitive material such as SSH keys, workspace data, and session transcripts, so an accidental or misconfigured destination could disclose a large amount of confidential data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal