Skillv3.0.0

ClawScan security

Time Clawshine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 1:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Time Clawshine is internally consistent with a restic-based backup/restore tool: it requires root to manage system timers and files, installs restic/yq as needed, and its scripts operate on local repos and a local password file; there are no unexplained credential requests or hidden exfil endpoints in the provided materials, though it performs optional network actions when enabled.
Guidance: This skill appears to do what it says, but it is a system-level backup tool and must be treated accordingly: 1) Running setup.sh requires sudo and installs systemd/cron entries and binaries — review the scripts (especially lib.sh) before granting root. 2) The tool creates and relies on a local restic password file: back that up externally or you'll lose the ability to decrypt snapshots. 3) Network activity (yq download during setup, update checks to clawhub.com, and optional Telegram notifications) is present but described as opt-in; if you need an air-gapped install, set --no-system-install and disable UPDATE_CHECK/TG settings in config.yaml and run setup steps manually. 4) Restores default to / and run as root — be careful when restoring to avoid overwriting important system files. 5) If you want extra assurance, run bin/test.sh (non-root) first, and inspect lib.sh to confirm tg_send/tg_failure and restic_cmd implementations and any network/telemetry behavior. If any of these behaviors are unacceptable, do not run setup.sh with sudo.

Review Dimensions

Purpose & Capability: okThe name/description (hourly encrypted incremental snapshots via restic) matches the code and instructions. Required binaries (bash, openssl, curl, jq) and auto-installs (restic, yq) are reasonable for a restic-based backup tool. The scripts deliberately require root when installing systemd/cron and writing to /usr/local or /etc — this is proportional to a system-level backup service.
Instruction Scope: noteRuntime instructions and scripts operate on local files (config.yaml, repo path, password file) and perform expected operations: backup, forget/prune, restore (including restoring into / by default), integrity checks, and health/status reporting. Some behaviors require attention: many scripts run as root (setup, uninstall, restore) and can write anywhere on disk or remove system artifacts; network calls are present for update checks (clawhub API) and optional Telegram notifications — these are documented as opt-in but will perform network I/O if enabled in config. The SKILL.md tells the agent to run the bundled setup.sh and other scripts; that is consistent with the skill's purpose but grants wide file-system privileges when executed.
Install Mechanism: noteThis is instruction-only (no automated registry install), but the supplied setup.sh performs apt-get installs and downloads the yq binary from GitHub releases when needed. The setup script attempts checksum verification of the downloaded yq and uses standard package installation for restic/curl/jq. Downloading a binary from GitHub is common for yq; the script verifies checksums when available, reducing supply-chain risk. Installing systemd units and copying binaries to /usr/local/bin is expected for this utility but requires sudo.
Credentials: okThe skill declares no required environment variables and does not request unrelated cloud credentials. The backup encryption key is stored locally in a password file (config.yaml.repository.password_file) which the tool creates/uses; the SKILL.md explicitly tells the user to back up that password file separately. Telegram and update-check credentials are not required by default (opt-in via config), which is proportional to the stated feature set.
Persistence & Privilege: noteThe skill does not request always: true and allows normal model invocation. It intentionally requires root for setup/uninstall and will register systemd timers/cron, write to /usr/local/bin, and create/modify system config — these privileges are expected for a system backup/restore agent but are powerful. No evidence that it modifies other skills' configurations; uninstall preserves user data unless --purge is used.