ClawHub

openclaw-reliable-backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill is mostly coherent, but it can package sensitive OpenClaw credentials and system state and send them by email without built-in encryption safeguards.

Install only if you intentionally want broad OpenClaw backups that may include API keys, identity files, workspace data, and other private state. Prefer local encrypted storage with strict permissions, skip email delivery unless archives are encrypted before sending, and review any mail-skill install, cleanup, restore, or gateway-control command before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill expands its scope from backup management into discovering, installing, and configuring a separate mail skill, including collecting SMTP server details and passwords. This creates an unnecessary privilege and trust boundary jump: a backup request can lead to package installation and handling of additional secrets, increasing the attack surface and the chance of unsafe operator behavior.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The privacy section states that all backup files are stored locally and that there is no remote transmission unless the user configures email, but earlier workflow explicitly instructs routine emailing of backup archives. This inconsistency can mislead users about data handling and consent, especially because the backups include sensitive state such as credentials and identity data.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Using a broad trigger like '备份' without clearer boundaries can cause the skill to activate on casual discussion or unrelated requests. In this skill's context, accidental activation is more dangerous than usual because the described actions include copying sensitive files, creating snapshots before changes, scheduling tasks, and potentially sending archives by email.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs packaging highly sensitive local state—including credentials, identity, agents, workspace, and other OpenClaw data—into a zip file and transmitting it by email as part of normal backup operations. Email is typically not a secure secret-storage channel, so this can expose credentials and full system state through mailbox compromise, misdelivery, insecure SMTP configuration, retained copies on providers, or interception of attachments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal