ClawHub

OpenClaw Self Backup & Restore

Security checks across malware telemetry and agentic risk

Overview

This backup skill mostly matches its purpose, but it handles credentials and restores archives in a way that could overwrite unsafe paths or current agent state.

Install only if you understand that backups may contain API tokens, credentials, memories, skills, identity files, cron jobs, and selected workspace documents. Keep archives private or encrypted, do not share them, and do not restore archives from untrusted sources unless the restore script is changed to validate paths and preview overwrites first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The backup scope is described as agent configuration, skills, memory, and workspace state, but the script also includes specific personal investment documents that appear unrelated to core agent recovery. This creates unnecessary data exposure and over-collection risk: anyone invoking or accessing the backup may unintentionally archive sensitive personal files outside the expected scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The restore routine extracts every member from a user-supplied tarball directly into the user's home directory with no validation of member paths, destinations, or allowed scope. A crafted archive can use absolute paths, parent-directory traversal, symlinks, or unexpected filenames to overwrite arbitrary files in the home directory or escape it entirely, which is especially dangerous for a skill that restores agent state and may be run on trusted backups without scrutiny.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that normal user requests like "backup", "save current state", or "recover agent" could invoke this skill unintentionally. In this context, accidental invocation is risky because the skill handles highly sensitive data and can perform destructive restore operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The backup scope explicitly includes API credentials, environment files, memory, identity, and credentials directories, but the skill does not warn that the resulting archive contains secrets and sensitive personal/agent state. This materially increases the chance of unsafe storage, sharing, or transmission of the backup archive.

Missing User Warnings

High
Confidence
94% confidence
Finding
The restore instructions provide a direct restore command without warning that restoration can overwrite current configuration, skills, memory, and workspace files. Users may irreversibly lose current state or reintroduce compromised/obsolete content if they restore without understanding the overwrite semantics.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script archives highly sensitive files such as .env, credentials, and identity material without an explicit warning, confirmation step, or any backup encryption. In a backup skill, this is especially dangerous because users may assume the archive is a routine restore point, while it actually consolidates secrets into a single portable tarball that is easier to exfiltrate or mishandle.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script restores files into HOME immediately after listing them, without requiring confirmation, presenting a dry run, or warning that existing files may be overwritten. In the context of a backup/restore skill, users are likely to run it on archives they believe are safe, so the lack of confirmation materially increases the chance of accidental destructive overwrite and makes archive-based attacks easier to trigger.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal