Skillv1.0.0

ClawScan security

Openclaw Backup 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 7:06 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions are consistent with a local backup/restore utility for OpenClaw; it will archive sensitive config and credentials, so protect the produced backups and test restores before relying on automation.
Guidance: This skill appears to do what it says: create and rotate local backups of ~/.openclaw, including credentials and session data. Before installing/using it: 1) Understand that backups include sensitive secrets (API keys, tokens, Telegram sessions, agent auth) — store backups only on secure, access-controlled storage and consider encrypting them. 2) Restrict backup directory permissions (e.g., mkdir -m700 and chmod 600 on files) and avoid uploading raw backups to untrusted cloud providers without encryption. 3) Test the restore procedure in a safe environment (the restore script stops/starts the gateway and replaces ~/.openclaw). 4) Review the cron automation you enable so that the reported results do not leak backups or secrets to unintended recipients. 5) Note the script suppresses tar stderr (2>/dev/null), which can hide errors — monitor backup success and retention behavior. If you plan to keep backups off-machine, add encryption (gpg/age) or use a secure backup tool before exporting archives.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and the included scripts all align: the skill archives ~/.openclaw, documents what is included/excluded, offers restore steps, and provides rotation. The requested artifacts (configs, credentials, agents, workspace, telegram session, cron) match a backup/restore purpose.
Instruction Scope: noteRuntime instructions and the script operate only on the user's home ~/.openclaw directory and call local commands (tar, mv, openclaw gateway stop/start). There are no network endpoints, external uploads, or environment variables referenced. Notably, the instructions and script will archive credentials/telegram session and agent auth data — this is expected for a backup but is sensitive and the SKILL.md does not instruct encrypting or securing backups. The cron JSON payload references running the script and reporting results; that is platform-specific but not inherently malicious.
Install Mechanism: okNo install spec; this is an instruction-only skill with a small shell script included. Nothing is downloaded or extracted from external URLs and no packages are installed, so disk-write/remote-code risk is low.
Credentials: noteThe skill requests no environment variables or external credentials (proportional). However, the backup it creates will contain sensitive secrets (API keys, tokens, session data). The skill does not provide steps to encrypt backups, restrict permissions, or advise secure remote storage — this is a security consideration for users, not a mismatch in declared requirements.
Persistence & Privilege: okThe skill is not forced-always and can be invoked by the user. It does not request to modify other skills or global agent settings. Autonomous invocation is allowed by default but not combined here with other high-risk factors.