Back to skill

Security audit

claw-saver

Security checks across malware telemetry and agentic risk

Overview

This backup skill appears to do its stated job, but it needs Review because it copies highly sensitive OpenClaw data to Git and has unsafe command and credential-handling choices.

Install only if you deliberately want nearly all OpenClaw state, including secrets and agent memory, committed to a trusted private Git repository. Use a minimally scoped revocable Git token, review the generated .gitignore and repository contents before pushing, avoid untrusted repo URLs or cron expressions, inspect crontab after enabling scheduling, and treat any existing backup repository as sensitive secret-bearing data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill claims 'full backup' while also omitting several paths and, per the finding, embeds the backup token into cron command lines. Putting secrets into crontab entries can expose them via process listings, shell history, backups of crontab, or local account inspection, and the misleading documentation increases the chance users will trust the backup and leak sensitive data unintentionally.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code's backup behavior intentionally includes sensitive material such as credentials, identity data, and knowledge-base content, but the generated RESTORE.md tells users those items were excluded. This mismatch can cause operators to publish or share a repository under the false assumption that secrets are absent, leading to inadvertent credential disclosure and privacy compromise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This skill is designed to commit and push highly sensitive data—including credentials, identity keys, tokens, per-workspace state, and agent memory—to a Git repository. Even if the repository is intended to be private, this dramatically expands exposure, creates durable copies of secrets in commit history, and can enable account compromise, impersonation, and leakage of confidential user data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This file builds shell command strings and passes them to child_process.exec with multiple untrusted values interpolated directly, including repoUrl, targetDir, commitHash, filename, and even generic git arguments. Because exec invokes a shell, an attacker who controls any of these inputs can inject additional shell metacharacters and execute arbitrary OS commands. In a backup skill that operates on a user's OpenClaw environment and performs networked Git actions, that can lead to full local compromise, data exfiltration, destructive file operations, or persistence.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code suppresses stderr during push/clone, but it still inserts the authentication token directly into the remote URL and stores that URL in Git configuration via git remote set-url/add. That means the secret can remain on disk in .git/config, be exposed to other local processes or users, appear in diagnostics elsewhere, or be committed/backed up accidentally. In this skill's context, which backs up a sensitive ~/.openclaw directory, persistent token storage increases the blast radius from local compromise and secret leakage.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The CLI reads a backup Git token from local configuration and embeds it directly into the cron command line as an environment assignment. Command-line content for cron jobs is often readable via crontab listings, process metadata, logs, or shell history/admin tooling, so this can expose a secret and enable unauthorized repository access.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The file header documents restore as interactive, but the implemented restore path auto-selects the most recent backup and proceeds non-interactively. That mismatch is security-relevant because users may invoke a supposedly safe prompt-driven command and unexpectedly overwrite current state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation normalizes repeated transmission of credentials, identity keys, memory, and other sensitive state to a remote Git repository without a prominent warning about the privacy and compromise implications. In this context, scheduled automated export of highly sensitive local state materially increases exposure and could lead to credential theft, account takeover, or long-term privacy loss if the repo or token is compromised.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
runBackup modifies local state by creating or updating .gitignore, initializing a repository, creating commits, generating RESTORE.md, and potentially pushing to a remote, yet there is no visible confirmation step or user-facing disclosure in this flow. In a backup skill operating over ~/.openclaw, silent mutation and publication of state materially increases the chance of unintended data exposure and irreversible persistence in Git history.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The code pulls a Git token from an environment variable and uses it for remote operations without any visible disclosure to the user that authentication material will be used. While reading a token from the environment is common, in this context it supports automatic exfiltration of potentially sensitive local state to a remote repository with little transparency.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This restore path performs a destructive wipe of the OpenClaw directory and then repopulates it from a cloned repository. Because the safeguard can be bypassed with `confirm: true` and there is no stronger validation of execution context, target path safety, or backup integrity at the point of deletion, an automation or compromised caller can trigger irreversible overwrite of local state.

Missing User Warnings

High
Confidence
98% confidence
Finding
The restore operation is invoked with confirm: false, meaning a destructive environment restore can happen immediately without user acknowledgment. In this skill's context, restoring ~/.openclaw can overwrite configuration, models, or credentials, causing loss of current state or rollback to attacker-controlled content if backups are compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
set-cron accepts user-controlled expr and interpolates it directly into a bash command inside execSync. The validation only checks for the presence of '*', so an attacker can supply shell metacharacters or command substitutions and achieve arbitrary command execution when the command runs.

Ssd 3

High
Confidence
96% confidence
Finding
The skill explicitly instructs users to back up the entire OpenClaw environment including credentials, identity material, knowledge bases, and memory to a Git repository. In this context that is highly dangerous because Git repos are easy to sync, clone, misconfigure as public, or retain forever in history, so a single mistake can permanently expose secrets and private data.

Ssd 3

High
Confidence
98% confidence
Finding
The stated 'user data principle' directs inclusion of nearly everything in ~/.openclaw, explicitly including credentials, identity keys, knowledge bases, learned data, and tokens. This creates a broad exfiltration channel to a remote Git service and dramatically amplifies the blast radius of any repository compromise, token leak, or accidental publication.

Ssd 3

High
Confidence
98% confidence
Finding
The comments establish a design principle that user data, configs, credentials, knowledge bases, agent memory, and scripts should all be backed up with 'no exceptions.' That is not merely documentation noise here: it directly reflects the implemented behavior and signals an unsafe default posture toward secret and privacy-sensitive material.

Ssd 3

High
Confidence
99% confidence
Finding
The generated .gitignore guidance explicitly states that credentials, identity keys, knowledge bases, core configuration with tokens, workspace state, and learning logs are intentionally not ignored, meaning they will be captured and committed. In a Git-backed backup workflow, this creates long-lived copies of secrets and sensitive behavioral data that are easy to replicate, sync, and accidentally disclose.

Session Persistence

Medium
Category
Rogue Agent
Content
// Add cron job
  const cronLine = `${cronExpr} ${script}`;
  execSync(`(crontab -l 2>/dev/null; echo "${cronLine}") | crontab -`, { shell: '/bin/bash' });
  console.log(`Cron enabled: ${cronExpr}`);
}
Confidence
90% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
}

  // Remove old and add new
  execSync(`(crontab -l 2>/dev/null | grep -v "backup.*cli.js"; echo "${expr} ${cronScript(expr)}") | crontab -`, { shell: '/bin/bash' });
  console.log(`Cron schedule updated: ${expr}`);
}
Confidence
94% confidence
Finding
crontab -l

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/cli.js:61