claw-saver
WarnAudited by ClawScan on May 12, 2026.
Overview
The skill matches a backup/restore purpose, but it backs up highly sensitive OpenClaw credentials and memory to Git, makes conflicting token-safety claims, and uses unsafe shell command construction.
Install only if you are comfortable placing the full OpenClaw environment, including secrets and agent memory, into a tightly controlled Git repository. Use a private encrypted repo if possible, review what will be committed, avoid broad tokens, and be cautious enabling scheduled backups until the token-handling and shell-command issues are fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can access the backup repository may be able to recover OpenClaw account credentials, session data, device identity keys, and other delegated access material.
The skill explicitly includes auth profiles, credentials, identity keys, and token-bearing configuration in the backup set.
agents/ # Agent configurations, auth profiles, session data credentials/ # Channel credentials and keys identity/ # Device identity keys openclaw.json # Core configuration (含 tokens) > **User data principle**: If in doubt, it is backed up.
Use only a private, access-controlled repository; prefer encryption or explicit secret exclusions; use a least-privilege token; and review backup contents before enabling scheduled pushes.
Private documents and agent memory can leave the local machine, and restoring old or compromised backups could reintroduce stale or poisoned agent context.
The backup scope includes private knowledge bases, vector data, agent memory, and learned state, which can contain sensitive content and future agent context.
kb/ # Knowledge base (user docs + vector database) workspace-* / # Agent workspaces, memory, learnings **/.learnings/ # Agent self-improvement logs
Limit the backup scope where possible, encrypt sensitive backups, restrict repository access, and inspect restored memory/knowledge data before relying on it.
A user may believe the backup token cannot be committed, while the documented backup scope suggests token-bearing configuration may be uploaded.
The security claims about token isolation conflict with the stated backup of openclaw.json containing tokens.
openclaw.json # Core configuration (含 tokens) ... **Token isolation**: The token is stored only in `~/.openclaw/.git/config` ... **No token in commits**
Do not rely on the stated token-isolation claim unless the token is stored outside the backed-up tree or explicitly removed before commit; add secret scanning and exclusions.
If the repo URL, token, or related configuration is maliciously modified or contains shell metacharacters, backup or restore operations could execute unintended local commands as the user.
Repository URL and token-derived values are inserted directly into shell commands rather than passed as safely separated arguments.
const remoteUrl = token ? repoUrl.replace('://', `://${token}@`) : repoUrl;
await execAsync(`git remote add origin ${remoteUrl}`, { cwd: DOT });Use execFile/spawn with argument arrays, strictly validate repository URLs and commit identifiers, and avoid passing secrets through shell-interpreted command strings.
After enabling cron, backups can continue periodically and upload new sensitive OpenClaw data until the cron job is disabled.
The skill can install a persistent cron job that continues running backups on a schedule.
const cronLine = `${cronExpr} ${script}`;
execSync(`(crontab -l 2>/dev/null; echo "${cronLine}") | crontab -`, { shell: '/bin/bash' });Enable scheduled backups only if you want ongoing background uploads; periodically check crontab, and use the disable-cron command or revoke the token when no longer needed.