mmxagent-guardian
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a local file-backup and rollback skill, but it can keep unencrypted local copies of sensitive files, so users should enable it deliberately.
This skill appears purpose-aligned and local-only based on the provided artifacts. Before installing, make sure you want the agent to create rollback data for file edits and deletions, especially for secret-bearing files such as .env, SSH, cloud, Docker, or Kubernetes configs. Review confirmations carefully, secure the ~/.openclaw/minivcs/ directory, and clean old backups when they may contain sensitive data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can run local Python commands to create, restore, and manage file backups.
The skill depends on running bundled local Python code. This is expected for its file-versioning purpose and is disclosed, but users should understand that the agent may invoke a local script.
Runtime requirement: Python 3 is required to run `scripts/minivcs/minivcs.py`.
Use only if you are comfortable with the bundled script running locally, and keep Python 3 installed from a trusted source.
If used incorrectly, file rollback or restore actions could affect local files, although the workflow is designed to protect against accidental loss.
The skill wraps high-impact file operations such as modify, delete, restore, and rollback. This is core to the stated purpose and the instructions also require user confirmation.
Modify: Saves an incremental diff plus a full snapshot ... Delete: Moves the full file into `~/.openclaw/minivcs/trash/`
Confirm the exact file path and operation before allowing the agent to use the MiniVCS commands.
Credential or configuration files could be duplicated into the MiniVCS storage area if the agent modifies or deletes them.
These directories often contain credentials or account configuration. The skill does not appear to exfiltrate them, but protected modifications or deletions may create local backup copies.
IMPORTANT_HOME_SUBDIRS = [".ssh", ".gnupg", ".gpg", ".config", ".local/share", ".openclaw", ".kube", ".docker", ".aws", ".azure"]
Be cautious when using this skill on credential directories, and review or clean the backup store when sensitive files are involved.
Local backups may contain private data and are not encrypted by the skill.
The skill intentionally persists file history, diffs, snapshots, trash, and backups locally. This is disclosed and purpose-aligned, but sensitive file contents may remain available until cleanup.
Protection data is stored locally under `~/.openclaw/minivcs/`. This Skill does not provide encryption or remote sync.
Protect access to your home directory, avoid backing up highly sensitive files unless necessary, and periodically clean expired records.