ClawHub

OpenClaw Backup & Restore — Encrypted OpenClaw Snapshots

Security checks across malware telemetry and agentic risk

Overview

This is a real backup-and-restore skill, but it can overwrite persistent agent state and run privileged setup actions with too little built-in user control.

Install only if you intentionally want this skill to back up and restore your full OpenClaw agent state through GitHub. Use a dedicated private repository and a tightly scoped token, protect and rotate BACKUP_PASSWORD, review what is inside ~/.openclaw before backing up, and do not run restore unless you have chosen the exact backup version and are comfortable overwriting local agent state. Prefer installing GPG yourself instead of letting the skill run sudo setup automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
["tar", "czf", "-", *exclude_flags, "-C", str(SOURCE_DIR), "."],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )
        gpg = subprocess.Popen(
            [
                "gpg", "--batch", "--yes", "--passphrase", password,
                "--symmetric", "--cipher-algo", "AES256",
Confidence
95% confidence
Finding
gpg = subprocess.Popen( [ "gpg", "--batch", "--yes", "--passphrase", password, "--symmetric", "--cipher-algo", "AES256", "-o", str(e

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("  Decrypting and extracting...")
        RESTORE_DIR.mkdir(parents=True, exist_ok=True)

        gpg = subprocess.Popen(
            [
                "gpg", "--batch", "--yes", "--passphrase", password,
                "--decrypt", str(encrypted_file),
Confidence
92% confidence
Finding
gpg = subprocess.Popen( [ "gpg", "--batch", "--yes", "--passphrase", password, "--decrypt", str(encrypted_file), ], stdout=s

subprocess module call

Medium
Category
Dangerous Code Execution
Content
],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )
        tar = subprocess.Popen(
            ["tar", "xzf", "-", "-C", str(RESTORE_DIR)],
            stdin=gpg.stdout, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )
Confidence
98% confidence
Finding
tar = subprocess.Popen( ["tar", "xzf", "-", "-C", str(RESTORE_DIR)], stdin=gpg.stdout, stdout=subprocess.PIPE, stderr=subprocess.PIPE, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires environment variables, filesystem access, and shell execution, but it does not declare permissions explicitly in the manifest. This weakens policy enforcement and user awareness because a backup/restore skill can read and overwrite sensitive agent state and invoke external commands without an explicit capability boundary.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Restore data is extracted directly into the live ~/.openclaw directory rather than a constrained staging area containing only expected agent files. In the context of an agent skill, this is more dangerous because a remote backup can overwrite configuration, prompts, tools, or startup files that alter later agent behavior and persistence.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The restore flow automatically clones a remote Git repository and uses its contents to drive local restore operations. In this skill context, remote backup content is attacker-controlled if the repo, credentials, or transport are compromised, and the code performs only checksum verification against a manifest stored in the same untrusted repo, which does not establish authenticity.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is overly broad and includes casual phrases like 'save my agent' or 'load my stuff on the new box,' which can cause the skill to activate unintentionally. In this context, accidental invocation is risky because the skill performs destructive restore operations and remote backup actions affecting sensitive local state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explains backup mechanics but does not prominently warn that restore can overwrite the local ~/.openclaw state and that retention deletes older backups. Users or agents may invoke restore/list/setup flows without understanding the destructive consequences, increasing the chance of irreversible data loss.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script retrieves a backup password from configuration and uses it to encrypt sensitive archives. Handling a long-lived encryption secret in ordinary config increases exposure if that config is readable, logged, or backed up elsewhere, and the danger is amplified because the same secret protects all snapshots.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
In non-interactive paths such as --latest or --version, the script extracts directly into the live workspace with no warning, backup, or confirmation. This can silently overwrite an existing agent state and, in this context, can replace trusted local configuration with content from an older or malicious snapshot.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup flow performs privileged package installation and initializes/pushes a Git repository without any interactive confirmation or safety check. In an agent skill context, that is dangerous because a user may trigger 'setup' indirectly and cause unintended local system modification and remote data publication behavior.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
askpass.close()
    os.chmod(askpass.name, stat.S_IRWXU)  # 700 — owner only

    env = os.environ.copy()
    env["GIT_ASKPASS"] = askpass.name
    env["GIT_TERMINAL_PROMPT"] = "0"  # never prompt interactively
Confidence
84% confidence
Finding
os.environ.copy()

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
Before running any command, verify:

1. **GPG is installed.** If not: `sudo apt-get update && sudo apt-get install -y gnupg gpg-agent`
2. **Credentials are configured** (see below)
3. **Setup has been run at least once** on this workspace: `python3 scripts/setup.py`
Confidence
86% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
Before running any command, verify:

1. **GPG is installed.** If not: `sudo apt-get update && sudo apt-get install -y gnupg gpg-agent`
2. **Credentials are configured** (see below)
3. **Setup has been run at least once** on this workspace: `python3 scripts/setup.py`
Confidence
86% confidence
Finding
sudo

Chaining Abuse

High
Category
Tool Misuse
Content
Before running any command, verify:

1. **GPG is installed.** If not: `sudo apt-get update && sudo apt-get install -y gnupg gpg-agent`
2. **Credentials are configured** (see below)
3. **Setup has been run at least once** on this workspace: `python3 scripts/setup.py`
Confidence
84% confidence
Finding
&& sudo

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal