Restic Home Backup
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent restic backup skill, but its bootstrap script unsafely writes user-supplied values into a root-sourced shell environment file, which could allow unintended command execution.
Review and fix the bootstrap script before using it with real systems. If you still test it, run plan-only mode first, use only trusted simple repository/path values, inspect `/etc/restic-home.env`, verify password-file permissions are `600`, and confirm retention behavior before enabling timers.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a repository or password-file value is copied from untrusted text or contains shell syntax, setup or later backup/prune/check runs could execute commands with elevated privileges.
`REPO` and `PASS_FILE` come from command-line arguments and are written raw into a shell file that is later sourced by root-run scripts/services. Shell metacharacters, newlines, or command substitutions in those values could execute unintended commands.
cat >/etc/restic-home.env <<EOF
RESTIC_REPOSITORY=${REPO}
RESTIC_PASSWORD_FILE=${PASS_FILE}
...
source /etc/restic-home.envDo not use untrusted repo/path strings. The maintainer should validate allowed characters, safely shell-quote values, or avoid `source` for user-controlled configuration; inspect `/etc/restic-home.env` before enabling timers.
On systems without `openssl`, the backup password could be left more readable than intended, allowing local users to access the encrypted backup repository if other conditions permit.
In the no-`openssl` fallback path, the `tr | head` pipeline can fail under `pipefail` before the later `chmod 600` runs, potentially leaving the generated restic password file with default file permissions.
set -euo pipefail
...
tr -dc 'A-Za-z0-9!@#$%^&*()-_=+[]{}:,.?' </dev/urandom | head -c 64 > "$PASS_FILE"
...
chmod 600 "$PASS_FILE"Create the secret file with restrictive permissions before writing, such as `umask 077` or `install -m 600`, and verify the final mode with `ls -l`.
Once enabled, older recovery points may be removed according to the fixed 7 daily / 4 weekly / 12 monthly policy.
The generated prune script deletes old backup snapshots according to a fixed retention policy. This is expected for a backup-retention skill, but it is a high-impact operation.
exec /usr/bin/restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12 --prune
Confirm the retention policy before enabling prune timers, keep an independent offsite copy, and run restore checks before relying on pruning.
Backup-related jobs may continue to run automatically, including after missed schedules.
The skill can create persistent systemd timers that continue running backup, prune, and check jobs after setup. This is disclosed and controlled by `--enable-timers`.
Persistent=true ... systemctl enable --now restic-home-backup.timer restic-home-prune.timer restic-home-check.timer
Enable timers only when desired, and manage them with `systemctl list-timers`, `systemctl disable --now ...`, and journal review.
The skill may be invoked on an unsupported system or before required tools are installed, leading to failed or partial setup.
The registry metadata does not declare the Linux/systemd/restic assumptions visible in the artifacts. This is a dependency transparency gap, not evidence of hidden installation.
Required binaries (all must exist): none ... OS restriction: none
Declare Linux/systemd and `restic` prerequisites in metadata or documentation before installation/use.