Back to skill

Security audit

OpenClaw State Backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill is coherent, but its restore script can unsafely unpack crafted archives before validation, so users should review it before use.

Install only if you understand that backups may contain private memory, session/config data, and local skills. Do not run restore_state.py on archives from other people or uncertain sources until it validates tar members before extraction and rejects path traversal, absolute paths, links, devices, and unexpected manifest paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code calls tar.extractall(tmpdir) on an untrusted archive before validating member names against the manifest or checking checksums. A crafted tarball can use path traversal or symlink/hardlink entries to write outside tmpdir during extraction, which is especially dangerous because this skill is explicitly intended to restore state on real hosts with access to workspace and config data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.