Back to skill

Security audit

Openclaw Restore

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate OpenClaw restore tool, but it deserves Review because it can replace active OpenClaw state, credentials, memories, and skills from a backup with limited safeguards on some restore paths.

Install only if you trust the publisher and the backups you will restore. Before running direct restore scripts, keep an extra copy of your current ~/.openclaw and ~/.clawdbot data, verify checksums from a trusted source, and remember that a backup can reintroduce old credentials, sessions, memories, skills, and configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents a restore workflow that stops services, overwrites ~/.openclaw, and restarts the gateway, but it does not prominently warn users up front that the operation is destructive and may replace current state. In a backup/restore skill, insufficient warning increases the chance of accidental data loss or restoration of stale/malicious state because users may run the commands without understanding the consequences.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase "fix broken installation" is an ambiguous activation condition that is not limited to backup restoration. This increases the chance that the skill is invoked during general troubleshooting, where it may perform high-impact operations like replacing ~/.openclaw with backup contents even when restore was not requested.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase "fix broken installation" is an ambiguous activation condition that is not limited to backup restoration. This increases the chance that the skill is invoked during general troubleshooting, where it may perform high-impact operations like replacing ~/.openclaw with backup contents even when restore was not requested.

Vague Triggers

Low
Confidence
77% confidence
Finding
The trigger phrase "列出备份" is generic and not clearly scoped to OpenClaw backups. This could cause the skill to activate in response to unrelated requests about backups, exposing backup filenames or steering the user toward restore operations they did not mean to perform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.