克隆龙虾

Security checks across malware telemetry and agentic risk

Overview

This is a real backup and restore skill, but it can automatically upload sensitive agent state, configuration, session data, and SSH/system details to Git with too little per-run control.

Install only if you intend to maintain a private Git backup of sensitive OpenClaw state and fully control the destination repository. Disable automatic and heartbeat backups, review every file before pushing, exclude secrets and session databases unless absolutely needed, and verify the repository contents before restoring skills or configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger conditions are broad enough that ordinary conversation about saving, syncing, or configuration changes could cause the agent to invoke backup behavior without a clear, informed user action. Because the backup scope includes sensitive local and conversational data, ambiguous invocation substantially increases the chance of unintended data exfiltration.

Vague Triggers

High

Confidence: 97% confidence
Finding: The auto-trigger rules authorize backup after loosely defined 'important changes,' before conversation end, and on vague keywords such as 'save' or 'sync.' In this context, that creates a direct path for silently persisting sensitive workspace, memory, and configuration data to a remote repository without deliberate authorization.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill presents backup to Git as a normal feature but does not clearly warn that sensitive local files, context stores, and credentials may be transmitted off-host to a remote repository. This undermines informed consent and can lead users to expose secrets or private conversation data unintentionally.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide instructs users to back up highly sensitive material including identity files, memory, conversation context, SSH/system configuration, and installed skills into a Git repository, but it provides no warning about confidentiality, retention, access control, or accidental disclosure risks. In the context of an automatic backup/restore skill, this is especially dangerous because users may unknowingly persist secrets and private data to a remote repo, creating a large exfiltration and compromise surface if the repository, deploy key, or host is misconfigured.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This script copies highly sensitive data including SSH configuration, installed package lists, supervisor status, OpenClaw configs, skills, workspace files, and session/context databases into a local clone and then pushes them to a remote Git repository. Because the repository URL is controlled by an environment variable and there is no explicit scope confirmation, redaction, encryption, or allowlist, the skill creates a clear exfiltration path for secrets, personal data, and system metadata.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs automatic backup of conversation context, memory, installed skills, configuration, and system modifications into Git. That is dangerous because these data classes commonly contain secrets, private user content, operational details, and persistence artifacts, and automating their collection and upload creates a high-risk exfiltration mechanism.

Ssd 3

High

Confidence: 99% confidence
Finding: The backup scope includes workspace files, memory/context stores, session databases, and SSH configuration, which are highly sensitive and may contain credentials, tokens, private prompts, host information, and access details. Centralizing these artifacts in a Git repository meaningfully increases compromise impact and expands the blast radius if the repo or SSH key is exposed.

Ssd 3

High

Confidence: 98% confidence
Finding: The rules instruct the agent to persist accumulated conversation changes and important modifications before the conversation ends, effectively turning routine interaction into a trigger for data export. In a skill designed to handle context and configuration, this makes sensitive data leakage much more likely because the user may not realize that transient dialogue and newly introduced secrets are being durably stored remotely.

Ssd 3

Critical

Confidence: 100% confidence
Finding: The note explicitly acknowledges that API keys and passwords are present in backed-up configuration while normalizing storage in the backup repository as long as access is controlled. This is highly dangerous because secrets in Git are easy to replicate, hard to revoke comprehensively, and can expose downstream systems even if the repository was intended to be private.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal