ClawHub

Cloud Backup

Security checks across malware telemetry and agentic risk

Overview

This backup skill appears purpose-aligned, but it handles sensitive OpenClaw state and cloud credentials while also creating recurring backup persistence by default.

Review this skill before installing. It is not clearly malicious, but it can back up sensitive OpenClaw state, use long-lived cloud credentials, and create recurring cron jobs. Only use bucket-scoped least-privilege keys, avoid committing or sharing config files, verify whether credentials would be included in backups, and approve any scheduled job only after checking the exact command, destination, and restore behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation description is broad enough to trigger on common user phrases like 'backup' or 'restore' without sufficiently constraining scope to OpenClaw state management. That increases the chance of unintended invocation in unrelated contexts, which is risky here because the skill can create archives, modify persistent configuration, upload data to cloud storage, and set cron jobs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to create a daily cron job by default if one does not already exist, which is a persistent system change made without prior explicit user opt-in. In the context of a backup skill, this can silently establish ongoing automated execution that repeatedly archives and uploads potentially sensitive data, expanding the blast radius of accidental activation or misconfiguration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs users to place long-lived AWS access keys into OpenClaw configuration, but does not warn about secret handling, storage protections, access controls, or preferable safer mechanisms. If OpenClaw config is readable by other local users, logged, exported, synced, or committed accidentally, these credentials could be exposed and used to access or destroy backup data in S3.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place long-lived cloud access credentials directly into the tool's configuration without any warning about secret handling, redaction, file permissions, or safer secret-storage alternatives. If the configuration is stored on disk, checked into version control, exposed in logs, or read by other local users or plugins, an attacker could obtain the keys and access or delete backups in the B2 bucket.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to place long-lived, account-wide Spaces access keys directly into the skill configuration without any warning about their sensitivity, broad scope, or safer handling practices. Because DigitalOcean Spaces keys apply across all Spaces in the account, exposing or mishandling them could grant broad backup read/write access and potentially enable data theft, overwrite, or deletion beyond a single bucket.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup guidance tells users to place ACCESS_KEY_ID and SECRET_ACCESS_KEY directly into application config, which increases the chance that long-lived cloud credentials are stored in plaintext, backed up, logged, or exposed through config sharing. In this skill’s context, that risk is amplified because the same tool backs up the OpenClaw state directory and may therefore archive the credential-bearing config file itself.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal