Skillv1.0.3

ClawScan security

OpenClaw Backup & Restore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 3:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The scripts do what the skill claims (backup/restore via Git and rsync), but the package metadata omits several required tools/assumptions and the runtime actions (git push/pull, rsync of the entire ~/.openclaw, and automated npm installs) create non-trivial risks that the user should understand before installing.
Guidance: Before installing or running this skill, make sure you: 1) Verify OPENCLAW_BACKUP_REPO is set to a private, access-controlled repository (do not push secrets to a public repo). 2) Confirm you have git, rsync, npm, and the OpenClaw CLI available on the machine; the skill metadata currently does not declare these requirements. 3) Understand that restore runs 'npm install' in any folder with package.json — that can run arbitrary install scripts from code stored in the backup. Consider disabling automatic npm installs (or review package.json files) when restoring. 4) Ensure your SSH/git credentials used for push/pull have appropriate scope and rotate credentials if you suspect exposure. 5) Test the backup/restore flow on a non-production copy first to validate behavior and the rsync/git semantics (watch for nested directory issues). 6) If you plan to proceed, update the skill metadata or documentation to list required binaries and clearly warn about the sensitivity of files under ~/.openclaw. If you want, provide the agent with a read-only or restricted backup repo and review the contents before running npm install or pushing sensitive files.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the included scripts: they back up ${HOME}/.openclaw to a Git repo and can restore it. However, the registry metadata claims no required binaries or envs even though the scripts require git, rsync, npm, and the OpenClaw CLI (openclaw). It also implicitly requires a working SSH/git auth setup for the remote repo. The missing required-tool declarations are an inconsistency.
Instruction Scope: noteSKILL.md and the scripts stay within the stated purpose (sync .openclaw to/from a Git repo). The restore script runs 'find ... -execdir npm install' which will execute package install scripts in restored directories (a legitimate restore step but a notable execution risk if the backup contains malicious package.json files). The scripts read OpenClaw config and operate on ${HOME}/.openclaw and ${HOME}/openclaw-backup — they will move potentially sensitive runtime/config/identity files to the configured remote, which is expected but requires caution.
Install Mechanism: okNo install spec (instruction-only) — no external archives are downloaded by the skill itself. The scripts are included in the skill bundle and will be executed by the agent when invoked. This is a low-risk install mechanism in the sense of remote code fetching, but the included scripts will perform network operations (git push/pull, npm install).
Credentials: concernThe skill requests no environment variables in metadata, yet it depends on a user-configured OPENCLAW_BACKUP_REPO value in OpenClaw config and needs access to the user's SSH/git credentials and HOME. The scripts will read/write the entire ${HOME}/.openclaw (including identity/credentials files referenced in SKILL.md), then push them to the configured remote — this is functionally necessary but high-impact, so the omission in metadata and lack of explicit credential requirements is concerning.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges or modify other skills. It does, however, read and write the user's OpenClaw runtime data and will perform autonomous git operations when invoked; that autonomy is platform-default and not by itself a flag here.