Back to skill
Skillv1.0.0
ClawScan security
self-backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 8:06 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's functionality (backing up OpenClaw workspace to a GitHub repo) is coherent, but the package metadata omits required tools and the instructions/scripts will read and push potentially sensitive local files — review before running.
- Guidance
- This skill appears to do what it says, but before using it: 1) Review the three scripts (setup.sh, backup.sh, sanitize-config.sh) yourself to confirm they match your expectations. 2) Be aware the scripts will read files under ~/.openclaw (AGENTS.md, SOUL.md, MEMORY.md, openclaw.json, scripts/, skills/), so sensitive content could be copied to the remote repo. 3) Ensure you have git, jq, and (optionally) gh installed — the metadata didn't declare these but the scripts require them; without jq sanitization is skipped. 4) Use a private repository you control and test with --dry-run first. Inspect the sanitized openclaw.json output to verify redaction is sufficient for your config (the sanitizer targets specific keys and may miss nonstandard tokens). 5) Avoid running as an elevated user; consider running the backup once manually in a safe environment or container before trusting automated/autonomous runs. 6) If you do not trust the skill or want stricter guarantees, copy files manually into a safe location and audit them before pushing to any remote.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match what the scripts do: copy ~/.openclaw workspace files, sanitize, and push to a GitHub repo. However, the registry metadata claims no required binaries or env vars while the scripts clearly expect git, jq (for sanitization), and optionally the GitHub CLI (gh). That mismatch between declared requirements and actual runtime needs is a configuration/information gap that could surprise users.
- Instruction Scope
- noteSKILL.md and the scripts explicitly instruct the agent/user to read files under ~/.openclaw (AGENTS.md, SOUL.md, openclaw.json, scripts, memory, skills metadata) and to clone/push to a remote GitHub repository. Reading these local files is required for the stated backup purpose, but it does mean the skill will access potentially sensitive files (memory, identity, skill metadata). The scripts copy SKILL.md files from local skills (metadata-only), which could disclose local skill information.
- Install Mechanism
- okThere is no install spec (instruction-only) and the skill ships scripts that will run on-demand; nothing is downloaded from arbitrary URLs. This lowers code-install risk. Still, the scripts assume external tools (git, jq, gh) that must be present or installed per SKILL.md.
- Credentials
- concernThe skill declares no required environment variables or primary credential, yet it expects the user to authenticate to GitHub (gh auth login) or otherwise provide git credentials to push backups. The omission of these expectations from metadata is misleading. Also, although sanitize-config.sh redacts some known token fields in openclaw.json, sanitization targets a limited set of keys and will skip sanitization if jq is missing — so secrets could still be pushed if users don't review outputs or lack jq.
- Persistence & Privilege
- okThe skill is not force-enabled (always: false) and does not request persistent elevated privileges. It can be invoked autonomously (platform default), which increases blast radius if you allow autonomous execution, but this is normal for skills and not a standalone red flag here.