Skillv2.0.0

ClawScan security

myclaw-backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 28, 2026, 7:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent: it implements a local backup/restore tool for OpenClaw and requests only the binaries and filesystem access needed for that purpose, but it contains several operational security caveats (HTTP server binding, token handling, cron modification) you should understand before installing.
Guidance: This skill appears to do exactly what it claims (full OpenClaw backup/restore) but it operates on highly sensitive files and offers a built-in HTTP server and cron scheduling — review these points before installing: - Trust boundary: backups contain bot tokens, API keys, session history and channel credentials. Only install/run on a trusted machine and protect the resulting .tar.gz files. - HTTP server defaults: serve.sh starts the Node server and binds to 0.0.0.0; although docs warn not to expose it, the default listen address makes it reachable on all interfaces. If you only want local access, modify the server to bind to 127.0.0.1 or run it behind a firewall/reverse proxy with TLS. - Token handling: serve.sh passes the token on the node command line and environment; command-line arguments can be visible to other local users via ps. Prefer passing the token via a protected environment or modify server.js/serve.sh to read the token from a secured file or prompt. - Exposure via URL: the UI embeds the token in links (query string). Query strings and logs may leak tokens (reverse proxies, access logs). Avoid sharing these URLs publicly; prefer scp/ssh when migrating between machines. - Cron changes: schedule.sh modifies the system crontab. Review the cron entry before enabling; use --disable to remove. If you lack admin consent, do not enable scheduling. - Restore safety: follow the skill advice — always run restores with --dry-run first. The restore scripts prompt for confirmation when not dry-run but the server can auto-confirm (echo 'yes' | restore) when invoked via the local restore endpoint; ensure only trusted local users can invoke that endpoint. - Audit and harden: inspect server.js, backup.sh, restore.sh yourself before using. Consider hardening: restrict server.listen to localhost, drop token from argv, enable TLS or run behind SSH tunnel, and ensure backup files have strict permissions and are transferred using scp/sftp. If you want to proceed: run backups locally first, inspect archives, test restore with --dry-run, and avoid starting the HTTP server on a machine exposed to untrusted networks. If you cannot review/modify code yourself, treat this as a high-trust skill and consider alternative migration methods (scp of archive) instead of enabling the built-in HTTP server.

Review Dimensions

Purpose & Capability: okName/description, declared required binaries (node, rsync, tar, python3, openclaw), and the provided scripts (backup/restore/schedule/serve + server.js + UI) all align with a backup-and-restore capability for OpenClaw. The files back up and restore ~/.openclaw and related data as described.
Instruction Scope: noteSKILL.md and the scripts explicitly read and overwrite ~/.openclaw, modify crontab (schedule.sh), and optionally start an HTTP server for upload/download/restore. That behavior matches the stated purpose, but the runtime instructions do grant the skill broad read/write access to highly sensitive local data (bot tokens, API keys, session history) and ability to change system crontab — these are expected for a full backup tool but are high-trust operations and worth caution.
Install Mechanism: okNo install spec (instruction-only) and all code is bundled in the skill. Nothing is downloaded from untrusted URLs or installed from remote package sources by the skill itself.
Credentials: noteThe skill declares no required environment variables, which is proportionate. However the serve.sh/server.js flow requires the operator to provide a token; serve.sh passes that token on the command line and environment when launching node. Passing secrets on the command line may expose them to other local users (ps output) and is a practical security risk though not inconsistent with the skill's function.
Persistence & Privilege: notealways:false (no forced global presence). The skill can add a cron entry (schedule.sh) to persist periodic backups — this is intentional for a backup tool but is a persistent change to the system crontab and should be enabled only with operator consent. The HTTP server also listens for network connections (server.listen uses 0.0.0.0), which is a persistent network presence while running.