openclaw-all-backup

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local OpenClaw backup helper, but its backups should be treated as sensitive because they can include credentials and logs.

Install only if you want a complete local copy of your OpenClaw state. Protect the timestamped backup directory like the original ~/.openclaw directory, avoid sharing or syncing it unintentionally, and verify both source and destination paths before running the restore commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states that backups include credentials, logs, workspace data, and all hidden files, but it does not prominently warn users that this duplicates sensitive material into another directory. That increases the chance of secret sprawl, unintended retention, and accidental exposure if the backup path has weaker access controls or is later shared, synced, or inspected by other tools.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The restore example uses mv to rename the active configuration and replace it with a backup, which is an operationally destructive action if performed incorrectly or on the wrong directory. Without a strong warning and verification steps, users could disrupt their current environment, lose recent state, or restore stale or tampered configuration data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal