Skillv1.0.0

ClawScan security

Openclaw Restore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 6:02 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a legitimate OpenClaw restore utility, but there are packaging and declaration inconsistencies (undeclared env vars/binaries, a referenced but missing script, and a prompt-injection signal) that warrant caution before installing.
Guidance: This skill's code looks like a straightforward OpenClaw restore tool, but there are a few red flags you should address before installing or running it: - Inspect the scripts locally line-by-line (restore.sh, restore_encrypted.sh, restore_latest.sh). They will move/overwrite ~/.openclaw and related data; ensure you trust the source. - The package metadata does not declare required binaries or env vars, but the scripts use openssl, tar, shasum, and optionally OPENCLAW_BACKUP_PASSWORD and OPENCLAW_BACKUP_DIR. Make sure those tools exist and avoid putting sensitive passwords in plaintext env vars. - SKILL.md contained a prompt-injection (unicode-control-chars) signal — open the file in a hex-capable editor to confirm there are no hidden control characters or malicious invisible sequences. - SKILL.md references a list_restoreable script, but that script is not present in the file manifest; confirm the distributor's repository or request a corrected package. - Because these scripts are destructive (they move and copy your config), test on a non-production machine or with copies of your backups first. Keep an independent copy of your current ~/.openclaw before running. - Prefer to run the included scripts manually rather than allowing an agent to invoke them autonomously until you've verified behavior. If the author/publisher is trusted and you verify the above, the functionality itself is consistent with the stated purpose. If you cannot verify the files or find hidden characters, do not run the scripts.
Findings: [unicode-control-chars] unexpected: The SKILL.md triggered a unicode-control-chars prompt-injection signal. There is no legitimate need for hidden/control characters in a restore script manifest; this may be an attempt to manipulate parsing or evaluations. The rest of the code is plain shell, but this finding should be investigated (inspect SKILL.md for invisible characters) before trusting automated ingestion.

Review Dimensions

Purpose & Capability: noteThe name/description match the provided scripts: they stop the OpenClaw gateway, decrypt (optional), validate, back up current data, and restore ~/.openclaw and ~/.clawdbot. However, the skill declares no required binaries/env vars while the scripts clearly expect tools (openssl, tar, shasum) and optional env vars (OPENCLAW_BACKUP_PASSWORD, OPENCLAW_BACKUP_DIR). That mismatch is a packaging inconsistency.
Instruction Scope: okThe runtime instructions and included scripts stay within the stated purpose: they read backups, optionally prompt for a password or read OPENCLAW_BACKUP_PASSWORD, extract archives to /tmp, move and overwrite user data in $HOME (~/.openclaw), and call openclaw commands. Those actions are expected for a restore tool, but note they perform destructive filesystem operations (mv and cp over ~/.openclaw) — the scripts do create a timestamped backup of existing data and prompt for confirmation in restore_latest.sh and on checksum failure.
Install Mechanism: okThis is an instruction-and-script-only skill (no install spec). No network download/install steps are embedded, so nothing arbitrary will be fetched at install time. The lack of an install mechanism limits extra risk, but it also means the user-provided environment must supply required tools.
Credentials: concernThe skill package does not declare required environment variables or binaries, yet scripts reference OPENCLAW_BACKUP_PASSWORD and OPENCLAW_BACKUP_DIR and call shasum/openssl/tar/openclaw. Requesting a backup password via an env var (OPENCLAW_BACKUP_PASSWORD) is functional but sensitive; the README even suggests storing the password in plaintext env vars (not recommended). The omission of these requirements from metadata is an inconsistency that could mislead users about what sensitive data might be used.
Persistence & Privilege: okThe skill does not request permanent/always inclusion (always: false) and allows normal autonomous invocation. It does not modify other skills or global agent settings. Autonomous invocation is the platform default and not a standalone concern here.