Openclaw Backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill is mostly purpose-aligned, but it should be reviewed because it handles sensitive OpenClaw data, installs cron persistence, and includes unsafe deletion guidance.

Install only if you intentionally want full OpenClaw backups. Prefer the encrypted script, do not upload plaintext archives to cloud folders, protect the backup password, inspect any cron entry it creates, and avoid the documented rm/find/xargs cleanup commands unless you have previewed exactly what they will delete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (21)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document instructs users to run destructive commands such as `find ... -delete` and `rm -rf` to exclude files, but it does not explicitly warn that these commands permanently remove data from the staging/source tree if variables are wrong or misunderstood. In backup guidance, destructive cleanup is especially risky because users may assume operations are non-destructive and accidentally delete valuable files.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The guide recommends copying backup artifacts to iCloud and a remote server without an explicit privacy warning about transmitting potentially sensitive configuration, memory, and workspace data off the local machine. Even if backups are intended to be encrypted, the documentation should state the disclosure risk and prerequisite controls clearly because users may adapt the workflow or upload unencrypted files.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The cleanup example bulk-deletes old backup archives with `xargs rm -f` but does not clearly warn that the action is irreversible. In a backup tool context this is particularly dangerous, because mistaken globbing, unexpected filenames, or user confusion can destroy the very recovery data the guide is meant to protect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises automated backup, cron scheduling, cloud sync, and handling of highly sensitive OpenClaw data such as API keys, memory files, custom skills, and login state, but it does not explicitly warn users about the privacy, storage, retention, and exfiltration risks of copying this data to archives and third-party cloud providers. In a backup/security-themed skill, this omission is materially relevant because users may enable automation and cloud sync without understanding the sensitivity of the data being replicated.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The FAQ provides several irreversible backup-deletion commands, including wildcard-based and piped deletion patterns, without warning users about permanent removal or encouraging dry-run verification. In backup tooling documentation, this is risky because users may delete too many archives or the wrong files, directly undermining recovery capability.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The performance section recommends recursive 'rm -rf' commands against paths containing globs, without warning about irreversible deletion or the risk of broader-than-intended matches. Because the FAQ concerns backup preservation, advice that removes logs or skill dependencies can accidentally destroy useful data or break installed skills.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The troubleshooting guidance suggests exporting the backup password into an environment variable without warning that secrets in environment variables can be exposed via shell history, process inspection, logs, or inherited subprocesses. For backup encryption credentials, this increases the risk of credential disclosure and compromise of protected archives.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README encourages syncing backups to iCloud, Google Drive, and Dropbox but does not explicitly warn that OpenClaw backups may contain highly sensitive material such as configuration, memory, tokens, and API keys. Because it also documents an unencrypted backup mode, users may upload plaintext archives to third-party cloud storage and unintentionally expose secrets if the provider account or shared folder is compromised.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation guidance says to use the skill for broad backup-related requests but does not define when the request is out of scope, such as backing up unrelated files, cloud accounts, or general system data. This ambiguity increases the chance of the agent applying the skill in the wrong context and exposing or modifying OpenClaw-related data unexpectedly.

Vague Triggers

Low

Confidence: 84% confidence
Finding: The invocation guidance says to use the skill for broad backup-related requests but does not define when the request is out of scope, such as backing up unrelated files, cloud accounts, or general system data. This ambiguity increases the chance of the agent applying the skill in the wrong context and exposing or modifying OpenClaw-related data unexpectedly.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script allows the backup password to be supplied via the OPENCLAW_BACKUP_PASSWORD environment variable, then passes it to openssl on the command line using -pass pass:"$BACKUP_PASSWORD". Environment-provided secrets are commonly exposed through shell history, process listings, CI logs, crash dumps, or inherited subprocess environments, so this creates a real credential-handling weakness even though the feature is meant for convenience.

Session Persistence

Medium

Category: Rogue Agent
Content: 📅 频率: 每周日 21:00 📜 脚本: ~/.openclaw/skills/openclaw-backup/scripts/backup_encrypted.sh 查看所有定时任务: crontab -l 查看备份日志: tail -f /tmp/openclaw_backup.log ```
Confidence: 86% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: ### 3. 自动化定时备份 ```bash $ crontab -l 0 21 * * 0 /Users/you/.openclaw/skills/openclaw-backup/scripts/backup_encrypted.sh >> /tmp/openclaw_backup.log 2>&1 ```
Confidence: 91% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: esac # 检查是否已有任务 if crontab -l 2>/dev/null | grep -q "openclaw.*backup"; then echo "" echo "⚠️ 发现已有 OpenClaw 备份任务，是否覆盖？[y/N]" read -p "> " CONFIRM
Confidence: 97% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: fi # 移除旧任务 crontab -l 2>/dev/null | grep -v "openclaw.*backup" | crontab - fi # 添加新任务
Confidence: 97% confidence
Finding: crontab -l

Session Persistence

Medium

Category: Rogue Agent
Content: fi # 添加新任务 (crontab -l 2>/dev/null; echo "$CRON_EXPR $BACKUP_SCRIPT >> /tmp/openclaw_backup.log 2>&1") | crontab - echo "" echo "✅ 定时备份已配置"
Confidence: 98% confidence
Finding: crontab -l

Tool Parameter Abuse

High

Category: Tool Misuse
Content: find "$STATE_DIR_NEW" -name "*.log" -delete 2>/dev/null || true # 排除 node_modules（如果存在） find "$STATE_DIR_NEW" -name "node_modules" -type d -exec rm -rf {} + 2>/dev/null || true # 排除临时文件 find "$STATE_DIR_NEW" -name "*.tmp" -delete 2>/dev/null || true
Confidence: 95% confidence
Finding: rm -rf {} + 2>/dev/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: du -sh "$STATE_DIR_NEW"/* | sort -hr | head -10 # 根据输出，排除大文件 rm -rf "$TMP_DIR/.openclaw/logs" rm -rf "$TMP_DIR/.openclaw/.npm" ```
Confidence: 91% confidence
Finding: rm -rf "$TMP_DIR/.openclaw/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # 根据输出，排除大文件 rm -rf "$TMP_DIR/.openclaw/logs" rm -rf "$TMP_DIR/.openclaw/.npm" ``` ### 3. 分片备份（大文件）
Confidence: 91% confidence
Finding: rm -rf "$TMP_DIR/.openclaw/

Chaining Abuse

High

Category: Tool Misuse
Content: ```bash # 清理旧备份（保留最近5个） cd ~/Desktop/OpenClaw_Backups ls -t openclaw_backup_*.tar.gz.enc | tail -n +6 | xargs rm -f ``` ### 问题3：cron任务失败
Confidence: 96% confidence
Finding: | xargs rm

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # 在 cp -a 之前添加 echo "清理临时文件..." find "$STATE_DIR_NEW" -name "*.log" -delete 2>/dev/null || true find "$STATE_DIR_NEW" -name "node_modules" -type d -exec rm -rf {} + 2>/dev/null || true ``` ---
Confidence: 95% confidence
Finding: rm -rf {} + 2>/dev/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal