Openclaw Backup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or anything with access to the created Desktop backup folder could read the copied OpenClaw API keys.
Why it was flagged
The script copies the local OpenClaw credentials directory into a Desktop backup folder. This is disclosed and aligned with the backup purpose, but it creates an additional copy of API keys.
Skill content
BACKUP_DIR="$HOME/Desktop/OpenClawBackup-$DATE" ... cp -r ~/.openclaw/credentials "$BACKUP_DIR/"
Recommendation
Run it only when you want this backup, keep the backup folder private, consider storing it in encrypted storage, and delete old backups when they are no longer needed.