Openclaw Backup

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local OpenClaw backup skill, but the backup it creates includes API keys and should be protected.

Install and run this only if you want a full OpenClaw backup. Treat the generated Desktop folder as sensitive because it contains API keys and operational configuration; move it to encrypted or restricted storage, avoid desktop sync/sharing, and delete old backups when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs users to copy the credentials directory containing API keys onto the Desktop, a less protected and highly visible location, without any warning, access-control guidance, or encryption. This increases the chance of accidental exposure through local users, screen sharing, desktop sync/backup tools, or later mishandling of the copied secrets.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script explicitly copies the user's OpenClaw credentials and related configuration into a timestamped folder on the Desktop, which is a less protected and more easily exposed location. This increases the attack surface for secrets by creating an additional plaintext copy that may be accessed by other local users, backup/sync tools, or accidental sharing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal