Skillv1.6.0

ClawScan security

Proxmox Backup Server Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 1:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (managing PBS backups) but contains inconsistencies around secret handling and runtime instructions that warrant caution before installing.
Guidance: This skill appears to implement what it claims (managing PBS backups) and includes helper scripts, but pay particular attention to how secrets are handled during setup: - The setup flow asks you to provide API tokens, PBS passwords, and NAS/SMB credentials. Those values are conveyed through the chat unless you choose to run all commands yourself. Chatting secrets is risky — verify your platform's chat retention policy and avoid sending long-lived credentials if you cannot delete them from logs. - The skill stores credentials in plain JSON under ~/.openclaw/credentials/pbs-backup.json (the guide recommends chmod 600). That is functional but not encrypted; treat those files like sensitive secrets and store them on a trusted host or use short-lived/limited-scope tokens. - The instructions tell the agent (or you) to run system-level commands (install packages, edit /etc/fstab, create credential files on remote hosts). Prefer the 'user executes' mode unless you fully trust the agent's ability to perform remote commands and you review each command before it runs. - Minimize risk by creating a dedicated Proxmox API token with only 'backup' privileges (as documented), use limited accounts for SMB/NFS where possible, and rotate/revoke tokens after setup if you must share them through chat. - Review the included scripts (backup.py, setup.py) before running. If you want stronger protection, modify the workflow to avoid sending secrets via chat (e.g., run setup locally on a trusted machine or paste secrets directly into the local setup prompt rather than into an agent conversation). What would change this assessment: explicit encryption of on-disk credentials, avoiding any guidance that encourages pasting secrets into chat, or an implementation that performs secure, ephemeral secret exchange (e.g., out-of-band prompts only on the user's terminal).

Review Dimensions

Purpose & Capability: noteName/description align with the included Python scripts and use of proxmoxer. Requiring python3 and proxmoxer is appropriate for Proxmox API operations. Storing config under ~/.openclaw/credentials is consistent with the skill's need to persist host/token information. Minor mismatch: SKILL.md states 'do not store passwords or token secrets in agent memory, logs, or daily notes', yet the workflow persists token_secret and similar credentials to ~/.openclaw/credentials/pbs-backup.json (expected for operation but worth highlighting).
Instruction Scope: concernThe SKILL.md instructs the agent to either run remote setup commands (via SSH) or print commands for the user; the shipped Python scripts do not perform remote SSH themselves and instead expect API tokens or the user to run commands. The instructions explicitly recommend passing secrets (API tokens, PBS root password, SMB credentials) through the chat for setup. That creates a real risk: secrets passed in chat may be retained in chat logs or memory outside of the script, and the skill's text claims they won't be stored which is inconsistent with normal chat storage. The instructions also guide the agent/user to edit /etc/fstab, create credentials files on remote hosts, and run package/install commands — actions that modify system configuration and require care. These behaviors are functionally coherent for setup but expand the agent's scope (remote system changes and secret handling) and should be used only with explicit user approval.
Install Mechanism: okNo install spec; this is instruction-plus-scripts only. No external downloads or archive extraction are performed by the skill itself. The scripts depend on the proxmoxer Python package and will fail with a clear error if missing (the README and references mention pip install proxmoxer). This is low-risk as long as the user inspects/controls package installation.
Credentials: concernThe skill does not request unrelated environment variables, but it requires sensitive credentials (Proxmox API tokens, PBS root password, SMB credentials) for legitimate function. Those credentials are persisted to ~/.openclaw/credentials/pbs-backup.json (and proxmox.json if imported) in plain JSON (protected by chmod 600 per the docs). The SKILL.md's claim that credentials 'are not stored in agent logs or memory' conflicts with both the practice of storing them on disk and the reality that chat messages (used to pass credentials) are often retained. Users should be aware secrets will be stored on disk in plaintext JSON and are transmitted via chat during setup unless they run commands locally themselves.
Persistence & Privilege: okalways:false and no system-wide install hooks are present. The skill writes/reads files only under ~/.openclaw/credentials which is within its own scope. It does not request to modify other skills or system-wide OpenClaw settings. Autonomous invocation is allowed (default) but not combined with other high privileges.