Clawdbot Skill Update
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: clawdbot-skill-update Version: 1.0.2 The OpenClaw AgentSkills skill bundle 'clawdbot-skill-update' is classified as benign. The skill's purpose is to provide a comprehensive backup, update, and restore workflow for Clawdbot installations, which inherently requires extensive file system access and modification. All scripts (`backup-clawdbot-dryrun.sh`, `backup-clawdbot-full.sh`, `restore-clawdbot.sh`, `validate-setup.sh`, `check-upstream.sh`) perform actions directly aligned with this stated purpose, such as archiving configuration, session states, agent data, credentials, and dynamically detected workspaces, as well as interacting with a local Git repository and the `pnpm clawdbot` CLI. Network activity is limited to `git fetch origin` for checking updates from GitHub, which is legitimate. There is no evidence of data exfiltration to unauthorized external endpoints, persistence mechanisms, obfuscation, or prompt injection attempts in the markdown files (SKILL.md, README.md, etc.) that would instruct an AI agent to perform malicious actions. The documentation is transparent, includes warnings for destructive operations, and even contains explicit security checks in `TEST.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the backup may be able to recover Clawdbot credentials or provider tokens.
The skill explicitly backs up local Clawdbot credentials and auth tokens. This is expected for a full rollback workflow, but the resulting backup is sensitive.
Credentials and auth tokens ... Backs up: ~/.clawdbot/credentials/ (auth tokens)
Store backups in a private location, check file permissions, do not share backup archives, and remove old backups when no longer needed.
Restoring an old or tampered backup could reintroduce stale, sensitive, or unwanted agent state and workspace contents.
The backup preserves sessions, agent state, and full configured workspaces, which may contain persistent agent context and private user data.
tar -czf "$BACKUP_DIR/sessions.tar.gz" -C ~/.clawdbot sessions/ ... tar -czf "$BACKUP_DIR/agents.tar.gz" -C ~/.clawdbot agents/ ... tar -czf "$BACKUP_DIR/workspace-${SAFE_NAME}.tar.gz" -C "$workspace" .Restore only backups you trust, review configured workspace paths before backup/restore, and consider excluding or separately protecting highly sensitive workspace files.
Running restore against the wrong or untrusted backup can replace current configuration, sessions, credentials, cron state, and workspace files.
The restore script intentionally overwrites Clawdbot configuration and replaces local state directories and workspace contents. It warns the user first, so this is disclosed, but it is still high-impact.
WARNING: This will overwrite current configuration and workspaces ... rm -rf ~/.clawdbot/sessions ... tar -xzf "$BACKUP_FILE" -C "$workspace"
Run restore only after making a fresh safety backup, verify the backup directory and workspace paths, and require explicit user approval before an agent runs it.
If the upstream repository or dependencies are compromised, the update process could install unsafe code.
The documented update flow pulls upstream code and installs/builds dependencies. This is expected for updating Clawdbot, but it depends on the trustworthiness of the repository and package dependencies.
git pull --rebase origin main pnpm install pnpm build
Verify the repository and branch, review release notes or commits for major updates, and consider pinning known-good versions for production systems.