Back to skill

Security audit

OpenClaw Backup Automation

Security checks across malware telemetry and agentic risk

Overview

This backup skill mostly matches its purpose, but it needs review because restore can overwrite home-directory files and optional git sync can push a whole workspace to a remote repository.

Review the skill before installing. Use it only if you want local OpenClaw state backed up to ~/backups, inspect archives before restoring, and avoid restore unless you are ready for files under your home directory to be overwritten. Do not enable credential backup unless you need secrets included, and do not enable git sync unless you have confirmed exactly which repository and workspace contents will be pushed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises operational commands involving environment-sensitive resources and backup/restore behavior, but declares no permissions or capability requirements. That creates a trust gap where an agent may invoke filesystem or environment-dependent actions without transparent consent boundaries, increasing the risk of unintended access to sensitive data such as credentials or home-directory contents.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond simple backup automation by including destructive restore operations into the user's home directory, git synchronization, and local state changes for feature flags. This mismatch is dangerous because users and calling agents may rely on the description to assess safety, while the actual behavior can overwrite files, expose backup contents to remotes, or alter system state unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a restore capability that extracts an archive directly into the user's home directory, overwriting existing files under .openclaw and related paths. That behavior goes beyond a pure backup-only capability and can cause destructive state changes or rollback to stale or attacker-influenced data if a crafted backup archive is restored.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill includes optional git synchronization, including committing local data and pushing it to a remote repository, which exceeds the stated local tar archive backup scope. This creates an unintended exfiltration path for backed-up workspace data and possibly sensitive files if users enable it without fully understanding the consequences.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The gitSync function runs 'git add .', 'git commit', and 'git push origin main', which can publish the entire workspace contents to a remote repository. In the context of a backup tool, this remote synchronization is dangerous because it can leak code, memory files, cron config, and potentially secrets to an external destination.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The restore flow tells users to restore credentials manually, but the extraction command restores the full archive contents automatically, including credentials if they were included during backup. This misleading messaging can cause operators to misjudge what sensitive material has already been written back to disk and weakens safe handling expectations around secret restoration.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad triggers like 'save' and 'export' can activate the skill in ordinary conversations unrelated to backup administration. In an agent environment, that can cause unsolicited backup prompts or execution paths around sensitive data handling, increasing the chance of accidental invocation of backup, restore, or credential-related workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The first-use suggestion logic uses vague phrases like 'backup' or 'save my config' without clear scope constraints, which can lead the agent to recommend enabling recurring backups in contexts where the user did not intend system-level changes. Because the skill also mentions optional credential backup and git sync, overbroad activation raises the risk of steering users toward sensitive operations unnecessarily.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/backup.js:57