v1.2.0

OpenClaw Backup & Restore — Encrypted OpenClaw Snapshots

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:02 AM.

Analysis

This appears to be a real backup/restore skill, but it can upload and overwrite your full OpenClaw agent state and handles powerful credentials, so it should be reviewed carefully before use.

GuidanceInstall only if you trust this skill to handle your full OpenClaw state. Use a dedicated private GitHub repo and a narrowly scoped token, set a strong unique backup password, and confirm the exact backup version before any restore. Consider making a separate local copy of ~/.openclaw before restoring.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

# Restore the latest version (non-interactive, best for AI agents)
python3 <skill-path>/scripts/restore.py --latest

The skill explicitly recommends non-interactive restore for agents. Restoring a full OpenClaw snapshot is a high-impact action because it changes persistent agent state, but the documented workflow does not require an explicit final confirmation or pre-restore safety backup.

User impactA simple restore request could replace the current agent’s configuration, skills, and state with whatever is in the latest backup.

RecommendationBefore restoring, require explicit user confirmation of the exact version, make a local pre-restore backup, and provide a dry-run or preview of what will be changed.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusNote

scripts/setup.py

["sudo", "apt-get", "install", "-y", "-qq", "gnupg", "gpg-agent"]

Setup may install system packages with sudo when GPG is missing. This is disclosed and related to the backup purpose, but it is still a privileged local system change.

User impactRunning setup can modify the operating system package set, especially on systems with passwordless sudo.

RecommendationAsk the user before privileged package installation, document supported operating systems, and prefer checking for dependencies without automatically installing them unless approved.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/backup.py

"gpg", "--batch", "--yes", "--passphrase", password,
"--symmetric", "--cipher-algo", "AES256"

The backup password is supplied to gpg as a command-line argument. That password protects every encrypted snapshot and may be exposed to local process inspection while the command runs.

User impactAnother local process or user on the same machine could potentially learn the backup password and decrypt stored snapshots.

RecommendationAvoid passing secrets on the command line; use a protected file descriptor, GPG agent, or another non-argv secret delivery mechanism, and rotate the backup password if exposure is suspected.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

env-example.txt

# GitHub Personal Access Token with 'repo' scope
GITHUB_PAT=

The skill asks for a GitHub PAT with repo scope so it can push encrypted backups. This is purpose-aligned, but repo-scoped GitHub tokens can carry broad access to private repositories.

User impactIf the token is misconfigured, leaked, or reused elsewhere, it could affect more GitHub repositories than the backup repo.

RecommendationUse the narrowest possible token, restrict it to only the intended private backup repository, and revoke/rotate it if the machine or skill directory is compromised.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Encrypted backup and restore for the `~/.openclaw` agent folder.

The backup scope is the whole OpenClaw agent folder, which may include persistent agent context, configuration, skills, and other state that will be reused after restore.

User impactRestoring an old or unwanted snapshot can reintroduce stale instructions, vulnerable skills, or poisoned persistent context.

RecommendationOnly restore snapshots from a trusted repo and password, review restored skills/configuration after restore, and consider excluding or separately validating persistent memory and executable skill files.