Back to skill

Security audit

Clawdbot Skill Update

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Clawdbot backup, update, and restore helper, but its backups can contain credentials, sessions, and workspace data.

Install only if you want a local maintenance tool with broad access to Clawdbot state. Run the dry run first, review ~/.clawdbot/clawdbot.json workspace paths, keep ~/.clawdbot-backups private and preferably encrypted, do not share backup archives, and restore only from trusted backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script reads workspace paths from the Clawdbot config and then inspects arbitrary directories on the filesystem, reporting their existence, size, and file counts and planning to archive them. For a backup dry run, this extends scope beyond the Clawdbot home into user-configured paths that may contain unrelated sensitive data, increasing disclosure and over-collection risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script trusts configuration-supplied workspace paths and performs filesystem discovery on whatever directories are listed, including non-Clawdbot locations. Even though it is a dry run, it reveals path validity, size, and file counts for arbitrary directories, which is broader reconnaissance than needed for a routine backup check.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script trusts workspace paths from ~/.clawdbot/clawdbot.json and archives any existing directory, even if it is outside the application's state tree. If that config is maliciously modified or points to sensitive locations such as ~/.ssh, cloud credentials, or project secrets, the backup process will silently collect and persist those files, expanding exposure and potentially enabling later exfiltration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The restore script offers an optional Git rollback and rebuild path that goes beyond restoring user data and configuration. If the backup metadata or chosen backup is untrusted, this can move the local source tree to an unexpected commit and execute build/install steps, increasing the blast radius from data restore to code/state modification.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script restores ~/.clawdbot/clawdbot.json from the backup and then trusts workspace paths inside that restored config to create directories and extract tarballs there. A malicious or tampered backup can therefore cause writes to arbitrary filesystem locations the user can access, potentially overwriting projects, dotfiles, or sensitive application data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-fix commands directly rewrite the live configuration file using jq piped into sponge, with no warning that the operation overwrites existing settings in place. In an update skill, operators may copy-paste these commands verbatim, causing unintended policy or sandbox changes and loss of prior configuration choices without review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This section includes forceful or non-interactive operational commands such as doctor --yes, pkill -f, and update flow steps that can change state immediately without confirmation. In a quick-reference card, these are especially risky because they encourage rapid copy-paste execution during troubleshooting, increasing the chance of accidental service disruption, unintended process termination, or unreviewed system changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly states that backups include credentials, auth tokens, session state, sandbox state, and all agent workspaces, but it does not warn that the resulting archives are highly sensitive or that restore operations can overwrite current state. In a backup/restore skill, that omission materially increases the chance of accidental credential exposure, unsafe storage of archives, or destructive restoration by a user following the documented workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly backs up credentials, auth tokens, sessions, and agent workspaces, but it does not warn that the resulting backup artifacts contain highly sensitive material. If the backup directory has weak permissions, is synced to cloud storage, or is accessible to other local users, attackers could recover tokens, conversations, and workspace data and use them to impersonate services or access private information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow includes disruptive and state-changing actions such as stopping the gateway, pulling and rebuilding code, editing configuration, and restoring prior state, but the documentation lacks a consolidated warning that these steps can cause downtime or overwrite local changes. In practice, this increases the risk of accidental service interruption, data loss, or rollback to an unexpected state when operators follow the instructions without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The restore test instructs the user to run a destructive restore that overwrites the live Clawdbot config, with only a manual copy/move safety step around it. If the restore command fails midway, the backup filename is mistyped, or the final move-back step is skipped, the user can be left with a broken or unintended configuration. In a testing guide for backup/restore workflows, this is a real safety issue because it encourages modification of a real user environment rather than an isolated test fixture.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script identifies the credentials directory and states that credential archives would be created, but it does not prominently warn the user that sensitive secrets are part of the backup set. In a real backup workflow, this can lead to accidental retention, transfer, or exposure of secrets without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically archives the credentials directory and later backs up agent-defined workspaces without any explicit consent, sensitivity warning, or permission hardening. This creates local copies of secrets on disk that may be more broadly readable, retained longer than intended, or later uploaded/shared by users who do not realize the backup contains sensitive material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.