Healthy Backup
ReviewAudited by ClawScan on May 1, 2026.
Overview
Healthy Backup is a coherent backup tool with sensitive but disclosed file access, optional cloud sync, and optional cron persistence that users should configure carefully.
This appears purpose-aligned for encrypted OpenClaw backups. Before installing, run the dry-run, confirm the backup tier and staged paths, store the backup key securely, use a dedicated rclone destination if cloud sync is enabled, and only enable cron after verifying the backup behavior.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Backups may contain private OpenClaw configuration and project content, even though the script redacts common secret fields, excludes secret paths, and encrypts the archive.
The skill openly documents reading sensitive local configuration, secret variable names, a backup key, and optionally broader workspace/skills content for backup.
`~/.openclaw/openclaw.json` ... `~/.openclaw/shared/secrets/openclaw-secrets.env` ... `~/.openclaw/credentials/backup.key` ... Workspace + skills dirs (full tier)
Run `--dry-run` first, choose the smallest useful tier, protect the backup password, and review what files are staged before enabling scheduled backups or cloud sync.
If enabled, the skill can write backup archives to the configured cloud remote and may rely on existing rclone account credentials.
Optional rclone support uses the user's existing rclone remote configuration to access a cloud destination.
`rclone listremotes` (if uploadMode=rclone) ... `rclone sync` (if uploadMode=rclone) | Upload encrypted archives
Use a dedicated backup folder/remote with limited permissions, and do not point rclone sync at a cloud location that contains unrelated files.
If the user opts in, backups will continue running on a schedule until the cron entry is removed.
The setup script can create a recurring cron job, but the default is no and it prompts the user first.
ask_yn "Install cron job?" "n" ... ( crontab -l 2>/dev/null | grep -v "healthy-backup.sh"; echo "$CL" ) | crontab -
Only enable cron after a successful dry-run, and use the provided removal command if you no longer want scheduled backups.
This does not show malicious behavior, but it makes release provenance and version matching less clear.
The registry metadata lacks source/homepage provenance and lists version 1.2.5, while the included SKILL.md, package.json, and scripts identify themselves as version 1.3.0.
Source: unknown; Homepage: none; Version: 1.2.5
Verify the package contents and checksums from a trusted source before relying on it for important backups.