Email Backup
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is meant to email selected backups, but its advertised sensitive-data cleaning appears broken, so secrets in the chosen folders may still be sent.
Only install this if you are comfortable with a tool that can archive and email chosen local folders. Until the cleanup bug is fixed, assume --clean may not remove secrets; inspect archives before sending and keep your QQ SMTP authorization code protected.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust the --clean option, but API keys, passwords, or other secrets in the selected folders can still remain in the emailed backup.
The archive path parameter is overwritten with each extracted file path, so the cleaned tarball is moved into the temporary extraction tree instead of replacing the original archive that is later emailed.
for file in files: file_path = os.path.join(root, file) ... shutil.move(temp_path, file_path)
Do not rely on --clean until the archive-replacement bug is fixed and tested; use --no-send to inspect backups first and explicitly exclude sensitive files.
Choosing a broad folder or wrong recipient could send private project, agent, or configuration data by email.
The skill can package arbitrary local directories, including examples that cover OpenClaw agent and workspace folders, and then send them as an email attachment.
支持打包任意目录为tar.gz压缩包 ... python3 scripts/backup_and_send.py ~/.openclaw/agents ~/.openclaw/workspace --clean
Run it only on intended folders, verify the recipient, prefer --no-send for review, and use explicit --exclude patterns for sensitive paths.
The skill will use the configured QQ mailbox authorization code to send mail; mishandling that code could allow unwanted mail sending.
The skill documentation shows it needs QQ email credentials even though the skill metadata does not declare required environment variables.
metadata: ... env: [] ... export QQ_EMAIL="your-email@qq.com"; export QQ_SMTP_PASSWORD="your-auth-code"
Use a dedicated QQ SMTP authorization code, keep it out of source files and shell history where possible, and revoke it if no longer needed.
Following a substituted or untrusted download URL could install code different from the reviewed artifacts.
The installation instructions include a remote tarball download and extraction path using a placeholder URL with no checksum or signature verification.
curl -L -o email-backup-skill.tar.gz https://example.com/email-backup-skill.tar.gz ... tar -xzf email-backup-skill.tar.gz
Prefer installing from ClawHub or a verified release source, and avoid running placeholder curl/tar commands without checking provenance.