claw-saver

The skill is a backup utility that intentionally collects and exfiltrates highly sensitive data, including 'credentials/', 'identity/' keys, and 'openclaw.json' (containing tokens), to a user-defined Git repository. While this aligns with its stated purpose of a 'full backup,' the implementation contains several high-risk security practices: it injects the Git access token into the remote URL (stored in plaintext in .git/config in lib/git.js) and embeds the token directly into the system crontab (scripts/cli.js), making it visible to other local processes. Additionally, the restore function in lib/restore.js performs a destructive wipe of the ~/.openclaw directory. While no hardcoded malicious exfiltration endpoint was found, the handling of secrets and the broad data access scope present a significant security risk.