Back to skill

Security audit

agent-backup-transfer

Security checks across malware telemetry and agentic risk

Overview

This is a genuine OpenClaw backup tool, but it creates portable archives of sensitive agent identity/config data and gives under-protected restore and transfer guidance.

Install only if you need OpenClaw backup or migration. Treat each backup archive like sensitive account data: keep it private, encrypt it before upload or transfer, avoid chat/email unless encrypted, and restore only archives you created and trust. Before restoring, inspect the archive contents or extract into a temporary directory first, and make a current backup because existing OpenClaw files may be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The restore instructions tell users to extract a backup archive directly into their home directory, which can overwrite existing OpenClaw files without any warning, validation, or recommendation to back up first. In the context of agent state and configuration, this can cause accidental data loss, corruption, or rollback of a live installation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance suggests transferring the backup via USB, cloud sync, email, or Discord without warning that the archive may contain sensitive agent memory, sessions, configuration, and identity data. This increases the risk of credential leakage, privacy exposure, or unauthorized recovery of the agent state if the archive is intercepted or shared insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The backup command explicitly archives sensitive OpenClaw material including .openclaw/openclaw.json, .openclaw/identity, and .openclaw/agents, which likely contain credentials, agent identity, or private state. Creating portable tar.gz backups of this data without any warning, encryption, or permission hardening increases the risk of credential leakage if the archive is copied, stored insecurely, or restored on an untrusted system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.