Daily Backup System

Security checks across malware telemetry and agentic risk

Overview

This backup skill has a coherent disaster-recovery purpose, but it would copy API keys and agent data into recurring archives using a script that is not included for review.

Install only if you are comfortable maintaining a recurring full backup that may contain API keys and private agent memory. Before scheduling it, obtain and review the actual daily_backup.sh script, choose a private backup location, encrypt archives, restrict file permissions, document how to disable the cron job, and have a plan to rotate credentials if a backup is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that backups include `.env` files and API keys, but it provides no warning or controls for encrypting, restricting access to, or safely storing the resulting archive. A full-system backup containing secrets materially increases exposure because anyone who obtains the archive can recover credentials, configuration, and potentially privileged access to the OpenClaw environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal