Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OCTOOL for backup
v1.0.15Openclaw Visual Configuration Assistant. Provides secure wizard for local/Git backup and workspace migration.
⭐ 0· 139·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (visual backup assistant for local/Git backups and workspace migration) match the provided artifacts: a single HTML UI that generates shell commands and optionally calls api.github.com when the user elects Git mode. There are no unrelated env vars, binaries, or install steps.
Instruction Scope
SKILL.md confines all actions to local browser operation: reads only files the user drops via the File API, generates plaintext shell commands for manual execution, and only contacts api.github.com if the user opts into Git mode. It explicitly disclaims any automated command execution. The only scope concern is the legitimate risk around storing a PAT in browser localStorage (documented in the skill).
Install Mechanism
No install spec or external downloads — instruction-only skill comprised of a local HTML file. This is the lowest-risk installation model and matches the stated frontend-only design.
Credentials
The skill requests no environment variables or system credentials. It does accept a user-provided GitHub PAT in the UI for direct api.github.com calls; the SKILL.md documents that the token is stored in browser localStorage for convenience. This is proportionate to optional Git backup functionality but carries the usual localStorage accessibility risks (noted below).
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The skill does not request elevated privileges or persistent platform-level presence beyond the local HTML file and optional localStorage entry.
Assessment
This skill appears to do what it says, but take the following precautions before use:
- Only enter a GitHub PAT if you understand its scope: use a fine‑grained token limited to the target repo's Contents: Read & Write and nothing more.
- The PAT is stored in your browser localStorage for convenience; other scripts running under the same origin (e.g., other local files opened from file:// with the same origin behavior) could read that storage — clear configuration after use via the UI or manually remove the token.
- Inspect the oc-tool.html file before opening in your browser (it is self-contained HTML). If you want extra isolation, open it in a temporary browser profile or an offline environment.
- The tool only generates plaintext shell commands; it will not execute them. Carefully review any generated sed/rsync/cp/git commands before copying them into your terminal (they can modify ~/.bash_profile and other files if run).
- If you do not intend to use Git backups, run the page offline to avoid any accidental network calls.
- If you need more assurance, verify there are no unexpected fetch calls or external endpoints in the full HTML (the SKILL.md states only api.github.com is used when Git mode is selected).
Overall, the skill is internally coherent and appropriate for its stated purpose, provided you follow the usual precautions around entering and storing access tokens and reviewing generated shell commands.Like a lobster shell, security has layers — review code before you run it.
latestvk9719tzn59dvyzzs55g4fjwxys84cq44
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖥️ Clawdis