ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soul Transfer

v1.1.0

Backup and restore an OpenClaw agent's full workspace (memory, config, credentials, skills, cron jobs) to/from a Git repository. Use when: migrating to a new...

1· 187·0 current·0 all-time
by@crypticdriver
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Backing up an agent's files, config, and cron jobs is a reasonable purpose and the instructions/shell script match that purpose. However, the skill explicitly instructs exporting and committing live OpenClaw config that contains channel tokens and API keys into a Git repository — that is functionally related to backup but introduces sensitive-data handling that should have more explicit safeguards (encryption, repo access requirements, or exclusion).
!
Instruction Scope
SKILL.md and the script instruct the agent to: export the full OpenClaw config (channel tokens, API keys), write it into the workspace, add and push all files to a Git remote (including the config JSON), and optionally set up cron jobs that run automated backups. The instructions also recommend embedding an auth token in the remote URL (https://<token>@github.com/...), which may leak credentials in shell history, CI logs, or remote URL configuration. The instructions to not scrub the config JSON and to restore it verbatim via config.patch are explicit; committing and pushing these secrets to a remote repo (even private) is dangerous unless the user explicitly encrypts or otherwise protects the file. Cron templates also include agentTurn payloads that instruct the agent to perform multi-step actions (including network access) automatically — this expands attack surface if the backup repo or token are compromised.
Install Mechanism
No install spec (instruction-only) and a small helper script are provided. That minimizes filesystem footprint and supply-chain risk. The included shell script uses standard CLI tools (git, openclaw) and is consistent with the stated purpose.
!
Credentials
The skill declares no required environment variables or credentials, but its procedure expects access to highly sensitive artifacts: OpenClaw channel tokens, API keys, and tool settings. It suggests authenticating git pushes using a token in the remote URL, and cron jobs will repeatedly push these artifacts. The sensitivity and quantity of credentials captured is high compared to the declared metadata (which lists none). There is no guidance in the skill to encrypt the config backup, restrict the repo visibility, or rotate tokens after transfer.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It instructs the creation/restoration of cron jobs and calls to gateway/config tooling to re-enable channels; those actions are expected for migration/restore workflows, but combined with automated backups of secrets they increase the blast radius if the repo or token is leaked. Autonomous agent execution of cron-scheduled backups (if the agent installs such jobs) should be considered carefully.
What to consider before installing
This skill is coherent for migrating an agent, but it explicitly exports live channel tokens and API keys and tells you to commit them to a Git repo and (optionally) automate pushes. Before using it, consider the following: - Treat the config backup JSON as extremely sensitive. Do NOT store it in plaintext in a remote Git repo unless you fully control and trust the repo (prefer a private repo only accessible to a minimal set of accounts). - Prefer encrypting the config backup (GPG, SOPS, age, or similar) before committing, and store decryption keys separately and securely. - Avoid embedding authentication tokens in remote URLs (https://<token>@...). That leaks tokens in process lists, shell histories, and some logs. Use an authenticated Git remote configured in a secure way (credential helper, deploy key, or ephemeral CI token) instead. - If you must push secrets, rotate credentials after a transfer is complete and verify no tokens ended up in public history (run git log --grep, filter-branch/BFG if needed). - Review and restrict cron templates: automated backups should be limited in frequency and target only trusted remotes; ensure any automated agentTurn payloads cannot exfiltrate more than intended. - Confirm the presence and permissions of gateway/openclaw tooling used by the scripts; restoring config via config.patch will reconnect channels and may enable message delivery immediately — verify environment and safety policies before patching. - If you want a safer workflow, remove secrets from the repo and transfer them via an out-of-band encrypted channel, or store secrets in a dedicated secret manager rather than in git. Given these issues, treat this skill as "suspicious" until you apply appropriate operational safeguards (encryption, access controls, token rotation) and confirm the backup repo/workflow meets your security requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4jwc82ncy95pt6s3z0y42d82vkcz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments