ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Backup Optimized

Optimized OpenClaw backup skill for creating full snapshots with workspace archive splitting, change summaries, restore instructions, and Discord notifications. Use when you need to set up or run automated backups, configure backup cron jobs, or document/restore OpenClaw state. Triggers on backup automation, backup scripts, snapshot/restore, or GitHub backup repos.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 2.3k · 10 current installs · 11 all-time installs
by@cccarv82
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and docs: scripts/backup.js implements full snapshots of ~/.openclaw, workspace tar+split, SHA256, retention, notifications, and optional pushing to a git repo. The declared registry metadata lists no required env vars but the SKILL.md and script clearly document several environment variables the script honors (OPENCLAW_HOME, OPENCLAW_BACKUP_DIR, BACKUP_REPO_URL, BACKUP_CHANNEL_ID, BACKUP_TZ, BACKUP_MAX_HISTORY) — this mismatch is minor and likely documentation/metadata oversight.
Instruction Scope
SKILL.md instructs copying the script into ~/.openclaw/workspace/tools, running it with node, and adding an openclaw cron entry. The runtime instructions and the script operate only on the OpenClaw home/backup paths and use 'openclaw message send' for notifications. They do not try to read unrelated system files. Important behavior: if BACKUP_REPO_URL is set the script will add a git remote and force-push the backup repo, which will transmit backup contents to that remote.
Install Mechanism
There is no remote install or download; the skill is instruction-plus-local-script. package.json lists small, standard dependencies (minimatch, tar). No network downloads or extract-from-URL install steps are present in the manifest.
!
Credentials
The registry lists no required env vars, but both SKILL.md and the script rely on multiple environment variables. The script will send data externally only if configured (BACKUP_REPO_URL for git push and BACKUP_CHANNEL_ID for gateway notifications). That behavior is expected for a backup tool, but it has real exfiltration potential: setting BACKUP_REPO_URL to an external/unknown repository will upload your OpenClaw data (which may contain secrets). The skill itself does not request API tokens, but git pushes may use whatever system git credentials are available.
Persistence & Privilege
always:false (not force-included). The skill does ask the operator to place a script in the user's OpenClaw tools directory and to create a cron job via the OpenClaw cron command (which schedules jobs in the gateway environment). This is normal for a scheduled backup workflow and it does not modify other skills or global agent settings.
Assessment
This skill is what it claims to be: a backup script for your OpenClaw home. Before installing or scheduling it, review the script (scripts/backup.js) yourself and confirm you are comfortable with what will be copied. Pay special attention to BACKUP_REPO_URL: if you set it, the script will git push (force) the backup contents to that remote — only use a trusted, private repository. Also verify BACKUP_CHANNEL_ID because notifications go through the OpenClaw gateway (openclaw message send). Run the script manually once, inspect the generated backup directory (~/.openclaw-backup by default) and backup-report.json, and ensure any git credentials and remote settings are intentional before enabling the cron entry.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
backupvk9763n3zypdmjjcaz6gaha7h5n80d9adlatestvk975am6r5j0e4n2cvfchykfnt180dkn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Backup (Optimized)

What this skill does

Use this skill to install, configure, and run the optimized OpenClaw backup workflow:

  • Full snapshot of ~/.openclaw
  • Workspace archive split into ~90MB parts + SHA256
  • Rich Discord notification (summary + restore steps)
  • Retention of last N reports

Files

  • Script: scripts/backup.js (cross-platform)
  • Reference config: references/CONFIG.md

Install / Setup

  1. Copy the script into your tools folder:
cp scripts/backup.js ~/.openclaw/workspace/tools/openclaw-backup.js
  1. Configure env vars (see references/CONFIG.md):

macOS/Linux (bash/zsh):

export OPENCLAW_HOME="$HOME/.openclaw"
export OPENCLAW_BACKUP_DIR="$HOME/.openclaw-backup"
export BACKUP_REPO_URL="https://github.com/your/repo.git"
export BACKUP_CHANNEL_ID="1234567890"
export BACKUP_TZ="America/Sao_Paulo"
export BACKUP_MAX_HISTORY=7

Windows (PowerShell):

$env:OPENCLAW_HOME="$env:USERPROFILE\.openclaw"
$env:OPENCLAW_BACKUP_DIR="$env:USERPROFILE\.openclaw-backup"
$env:BACKUP_REPO_URL="https://github.com/your/repo.git"
$env:BACKUP_CHANNEL_ID="1234567890"
$env:BACKUP_TZ="America/Sao_Paulo"
$env:BACKUP_MAX_HISTORY="7"
  1. Run once:
node ~/.openclaw/workspace/tools/openclaw-backup.js
  1. Create cron (OpenClaw cron runs in the gateway environment):
openclaw cron add --name "openclaw-backup-daily" \
  --cron "0 5,10,15,20 * * *" --tz "America/Sao_Paulo" \
  --exec "node ~/.openclaw/workspace/tools/openclaw-backup.js"

Restore

Use the restore instructions printed in the backup notification.

Notes

  • Excludes noisy session lock/deleted files for smaller diffs.
  • Requires git and node (>=18).
  • Uses openclaw message send for notifications (no webhook).
  • scripts/openclaw-backup.sh is legacy (Linux/macOS) and will be removed; use backup.js.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…