雷神之影 Mjolnir Shadow
v2.0.0Mjolnir Shadow (雷神之影) — Automated rotating backup system for OpenClaw workspaces. Creates GPG-encrypted, rotating backups of workspace files, configs, and da...
⭐ 0· 89·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description promise (rotating, GPG-encrypted backups of OpenClaw workspace to WebDAV) aligns with the scripts and SKILL.md: setup wizard, backup.sh, restore.sh and restore-kit.sh implement the described functionality and request only WebDAV credentials and optional GPG passphrase. No unrelated credentials or services are required.
Instruction Scope
Runtime instructions and scripts operate on the OpenClaw workspace and config (including installed skills) and upload archives to a WebDAV target — this is expected for a backup tool. The scripts attempt to exclude common sensitive files (*.gpg, .env, channel tokens) but they still pack entire workspace and skill directories; if secrets exist in unusual paths they could be included. The restore-kit also auto-installs system dependencies and OpenClaw when run on a bare machine (explicit in SKILL.md).
Install Mechanism
There is no formal install spec; the package is instruction + script based. The restore-kit may download system packages and Node.js from NodeSource/nodejs.org and uses apt/brew/npm as needed — these are common sources and consistent with a full restore workflow. The scripts do perform network downloads and may request sudo for system installs during restore (documented).
Credentials
No forced environment variables or external credentials are declared beyond the optional MJOLNIR_SHADOW_PASS. The skill legitimately needs WebDAV credentials (stored in a local encrypted config) and optional GPG passphrase for non-interactive runs — these are proportionate to the backup/restore purpose.
Persistence & Privilege
The skill is not force-included (always: false) and uses normal agent invocation. It does not attempt to modify other skills' configs beyond restoring files into the OpenClaw workspace (expected for a restore). The restore-kit can install system software (apt/npm/brew, write to /usr/local) which requires elevated privileges — this is normal for a bare‑metal restore but worth noting.
Assessment
This skill is coherent with its stated purpose, but take these precautions before installing or running it: 1) Only point backups to a WebDAV server you control and prefer HTTPS (the scripts warn on non-HTTPS but allow it). 2) Protect the GPG passphrase: use gpg-agent or a secure secret store; do not place MJOLNIR_SHADOW_PASS in plaintext cron lines or world-readable files. 3) Review the configuration (config/backup-config.json.gpg once decrypted) to confirm which paths will be backed up — installed skills and workspace files are included by default and may contain unexpected secrets. 4) The restore-kit can install system packages and Node/OpenClaw (may use sudo); run it only on machines you trust and after reading the script. 5) Verify the upstream source and author (GitHub repo link provided) before trusting automated restore actions. 6) If you need stricter control, run backup/restore manually or run in an isolated environment and consider disabling autonomous skill invocation if you don't want the agent to call it without supervision.Like a lobster shell, security has layers — review code before you run it.
latestvk9732s3bd7crtsqa4pzftzw0bs83hk23
License
MIT-0
Free to use, modify, and redistribute. No attribution required.