ClawHub

OpenClaw Backup & Restore

Security checks across malware telemetry and agentic risk

Overview

This is a real backup/restore skill, but it gives restore and backup scripts broad access to sensitive OpenClaw state and can run code from restored files without enough user review.

Install only if you intentionally want full OpenClaw state stored in a trusted private Git repository. Before use, verify the repo URL, add explicit exclusions or encryption for secrets/sessions, inspect the backup diff, and do not run restore from any repository or commit you would not trust to modify your OpenClaw setup and execute local package scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The restore flow does more than copy backed-up files: it searches restored content for every package.json and runs npm install. Because npm may execute lifecycle scripts such as preinstall/postinstall, anyone who can influence the backup repository can achieve code execution on the restoring machine. In a backup/restore skill, repository-sourced code execution is broader and more dangerous than the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Running openclaw doctor --yes performs automatic repair actions after restore without user review. That expands the skill from data restoration into making potentially invasive environment changes, which could modify configuration, install components, or alter state unexpectedly. The non-interactive flag increases risk because the user is not prompted before changes occur.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The restore instructions describe syncing backup contents back into `${HOME}/.openclaw/` but do not warn that this can overwrite existing local configuration, sessions, workspace state, or create merge/conflict issues. A user invoking restore on a live or partially configured system could accidentally destroy newer local data or end up with an inconsistent runtime state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script backs up the entire ~/.openclaw directory and pushes it to a configured remote repository, which can include highly sensitive material such as configuration, identity data, sessions, runtime state, memory, agents, and workspace contents. Although the skill’s purpose is backup/restore, the lack of an explicit confirmation, sensitive-data warning, and allowlist-based selection makes accidental exfiltration to an unintended or misconfigured repository much more likely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script installs dependencies directly from repository-restored content with no warning that npm install can execute package lifecycle scripts. This means a compromised or malicious backup repository can trigger arbitrary commands during restore, turning a data recovery action into code execution. The backup/restore context makes this especially dangerous because users may treat the repository as passive data rather than executable content.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Automatic environment repair is invoked with a non-interactive --yes flag and no disclosure of what actions will be taken. Even if intended to improve reliability, silently performing repairs can change system or application state in ways the user did not authorize, increasing the blast radius of a simple restore operation. This is risky because the skill description focuses on backup and restore, not autonomous remediation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal