Skillv1.0.0

ClawScan security

Restic Home Backup (Safe Apply Mode) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 8:48 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions are coherent with its stated goal (setting up encrypted restic backups) and the included bootstrap script enforces a plan-only mode and reasonable safety checks; there are no unexplained network endpoints, secret exfiltration, or unrelated credentials requested.
Guidance: This skill appears to do what it says, but follow these precautions before applying changes: (1) Review scripts/bootstrap_restic_home.sh locally in plan-only mode (run without --apply) to confirm paths/schedules. (2) Ensure restic is installed at /usr/bin/restic (or edit scripts to your restic path). (3) Be aware applying (--apply) writes files under /etc and /usr/local/bin and installs systemd units which will run as root—confirm this matches your security policy. (4) If you intend to use a remote backend (S3/B2/sftp), plan how repository credentials will be provided (the script currently generates/stores a local password file but does not manage cloud credentials). (5) After apply, verify permissions on /etc/restic-home/* (should be 600) and perform the restore smoke test described in the ops checklist. (6) If unsure, run in plan-only mode and manually inspect generated artifacts before using --apply. If you want a more restrictive setup (non-root service user, SELinux/AppArmor constraints, or integration with your secret manager), request those explicit changes before applying.

Review Dimensions

Purpose & Capability: okName/description (restic home backup with systemd automation) match the included artifacts: SKILL.md describes intended inputs/outputs and safety boundaries, and scripts/bootstrap_restic_home.sh creates env, backup/prune/check scripts and systemd units as advertised.
Instruction Scope: noteSKILL.md and the bootstrap script stay within backup setup scope. The script is PLAN-ONLY by default and requires --apply to write to /etc, /usr/local/bin, and /etc/systemd/system, and it avoids printing secrets. Note: applying changes requires root privileges and the produced systemd units run without a User= line (will run as root); this is typical for full system backups but is a security decision the operator should review.
Install Mechanism: okInstruction-only skill with a local bootstrap script; there is no network download/install step, no external package pulls, and no archives are extracted. Risk from install mechanism is low.
Credentials: okThe skill requests no external environment variables or credentials. It will create a local password file (/etc/restic-home/password) and an environment file (/etc/restic-home.env) to hold RESTIC_REPOSITORY and RESTIC_PASSWORD_FILE; these are proportional to the task. Operators should note the script may generate a password if none exists and will store it on-disk.
Persistence & Privilege: noteThe skill does not request always:true and does not persist as a continuously running skill. If applied, it writes systemd timer/unit files and scripts into system locations (expected for a backup solution). This grants ongoing system behavior (scheduled backups) but that is coherent with the stated purpose.