Skillv1.0.0

ClawScan security

克隆龙虾 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 2:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match a backup/restore purpose, but it reads and pushes many potentially sensitive files (session DBs, config files, ~/.ssh/config) to a user-provided Git repo while the registry metadata omits required env settings—this mismatch and the sensitive-scope of the backup merit caution.
Guidance: This skill implements a full backup to a Git repo and will copy session DBs, openclaw.json (which may contain API keys/passwords), ~/.ssh/config and system info and push them to whatever repo you configure. Before installing or enabling it: (1) Ensure CLONE_LOBSTER_REPO_URL is set to a trusted, private repo and use a deploy key with minimal scope; (2) Review and, if needed, edit scripts to exclude sensitive files (or add filtering/encryption) — e.g., avoid backing up openclaw.json or strip secrets first; (3) Prefer manual invocation until you verify behavior; disable automatic triggers or limit them in SKILL.md; (4) Add explicit registry metadata for required env vars/credentials so users can see what will be used; (5) Test in a safe environment (temp account/repo) to confirm no unintended data is uploaded. If you cannot verify the destination repo and its access controls, do not enable autonomous backups.

Review Dimensions

Purpose & Capability: noteName, description, SKILL.md, and the scripts all align: the tool collects OpenClaw/CatPaw workspace, config, skills, system files and context and pushes them to a Git repo. However the registry metadata did not declare the CLONE_LOBSTER_REPO_URL env var or the expectation of an SSH deploy key, which is an omission (not necessarily malicious) and reduces transparency.
Instruction Scope: concernThe runtime instructions and backup.sh explicitly read many files beyond simple user configs: session databases, memory files, ~/.ssh/config, /etc/supervisor files, installed package lists, supervisor status, and whole skills directories (including code). Those actions match a broad backup goal but also collect highly sensitive data (API keys, secrets in openclaw.json or session DBs). The SKILL.md does warn about sensitive info, but the automatic-trigger rules (run on many change events) could cause repeated uploads without explicit per-run consent.
Install Mechanism: okThis is an instruction-only skill with included shell scripts; there is no install spec or remote download. That minimizes installer risk because no external binary is fetched during installation.
Credentials: concernThe scripts require a CLONE_LOBSTER_REPO_URL and an SSH key with write access to the repo, but the registry entry lists no required env vars or primary credential. The skill also uses optional OPENCLAW_WORKSPACE/OPENCLAW_DIR env vars. Expectation of SSH keys and a writable Git repo is reasonable for a backup tool, but the missing declaration in metadata is an inconsistency and the set of data accessed is high-impact (secrets & local system state).
Persistence & Privilege: okThe skill is not marked 'always:true' and does not request elevated/install-time persistence. It can be invoked autonomously (platform default); combined with the broad data access this increases blast radius if the agent runs backups automatically and the configured repo is untrusted. The scripts themselves do not attempt to modify other skills or global agent configuration.