ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Soul Backup

v0.1.8

Store encrypted OpenClaw workspace backups and restore them via token-secured API using claw-vault.com with local encryption and credential management.

0· 388·0 current·0 all-time
byDaniel@danielglh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md workflow: prepare local encrypted archives, upload to https://api.claw-vault.com, and store backup_id/api_token. The skill does not request unrelated credentials, binaries, or system access.
Instruction Scope
The runtime instructions are narrowly scoped (encrypt locally, upload, store tokens securely, ask for confirmation). However the SKILL.md tells the agent to 'Follow https://www.claw-vault.com/SKILL.md for current response formats and full API contract' — that gives the agent a live external reference that could change behavior at runtime. The skill itself otherwise directs no unexpected file reads or transmissions beyond the backup upload.
Install Mechanism
Instruction-only skill with no install spec and no code to write to disk. Lowest install risk.
Credentials
The skill does not declare required env vars or primary credentials, which is proportional to being instruction-only. Example snippets reference $BACKUP_ID and $API_TOKEN so the agent/user will need to supply those tokens; the SKILL.md instructs treating them as secrets. It would be clearer if the skill declared those as expected inputs, but their use is consistent with the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or other skills' credentials. Autonomous invocation is allowed (platform default) but not combined with elevated privileges here.
Assessment
This skill is coherent with its purpose, but before installing: 1) Verify the legitimacy of https://www.claw-vault.com and its privacy/security practices; 2) Ensure you create and verify the local encryption process (encrypt locally before any upload) and test with non-sensitive data first; 3) Be prepared to provide and securely store the returned backup_id and api_token (the SKILL.md examples reference $BACKUP_ID and $API_TOKEN even though they aren't declared); 4) Note the skill directs the agent to consult a remote SKILL.md — that external content could change how the agent behaves, so only proceed if you trust the host; 5) Confirm the agent will ask for explicit user confirmation before any first upload as stated in the Safety Rules.

Like a lobster shell, security has layers — review code before you run it.

apivk971p9qesmzjfk9pv08knfa75182033tarchivevk971p9qesmzjfk9pv08knfa75182033tauto-backupvk971p9qesmzjfk9pv08knfa75182033tbackupvk971p9qesmzjfk9pv08knfa75182033tbusiness-continuityvk971p9qesmzjfk9pv08knfa75182033tclaw-vaultvk971p9qesmzjfk9pv08knfa75182033tcredential-safetyvk971p9qesmzjfk9pv08knfa75182033tcronvk971p9qesmzjfk9pv08knfa75182033tdevopsvk971p9qesmzjfk9pv08knfa75182033tdisaster-recoveryvk971p9qesmzjfk9pv08knfa75182033tencrypted-backupvk971p9qesmzjfk9pv08knfa75182033tencryptionvk971p9qesmzjfk9pv08knfa75182033tlatestvk971p9qesmzjfk9pv08knfa75182033tlinuxvk971p9qesmzjfk9pv08knfa75182033tmacosvk971p9qesmzjfk9pv08knfa75182033tmemory-mdvk971p9qesmzjfk9pv08knfa75182033topenclawvk971p9qesmzjfk9pv08knfa75182033topensslvk971p9qesmzjfk9pv08knfa75182033topsvk971p9qesmzjfk9pv08knfa75182033tperiodic-backupvk971p9qesmzjfk9pv08knfa75182033trecovery-drillvk971p9qesmzjfk9pv08knfa75182033tresiliencevk971p9qesmzjfk9pv08knfa75182033trestorevk971p9qesmzjfk9pv08knfa75182033tscheduled-backupvk971p9qesmzjfk9pv08knfa75182033tsecret-managementvk971p9qesmzjfk9pv08knfa75182033tsecure-storagevk971p9qesmzjfk9pv08knfa75182033tsecurityvk971p9qesmzjfk9pv08knfa75182033tshell-scriptvk971p9qesmzjfk9pv08knfa75182033tsoul-mdvk971p9qesmzjfk9pv08knfa75182033ttarvk971p9qesmzjfk9pv08knfa75182033ttar-gzvk971p9qesmzjfk9pv08knfa75182033ttoken-authvk971p9qesmzjfk9pv08knfa75182033tworkspacevk971p9qesmzjfk9pv08knfa75182033tworkspace-backupvk971p9qesmzjfk9pv08knfa75182033t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments