ClawHub

Backup Manager Pro

Security checks across malware telemetry and agentic risk

Overview

This is a local backup skill, but it needs review because it can archive sensitive OpenClaw data and install scheduled jobs without clear confirmation.

Install only if you are comfortable with local backups potentially containing API keys, auth profiles, agent memory, identity files, skills, and extensions. Prefer the interactive cron setup over setup-cron-auto.sh, review the exact cron entries before installing them, protect or encrypt the backup directory, and make sure you know how to remove the cron jobs and restore only from trusted backup files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script performs a full backup of the entire OpenClaw workspace and related agent/config directories, which exceeds the stated scope of configuration backups and pre-modification snapshots. In a backup skill, this increases exposure because arbitrary workspace contents may include secrets, prompts, tokens, chat history, or other sensitive user data that the user may not expect to be archived.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script copies multiple workspace files such as MEMORY.md, USER.md, SOUL.md, IDENTITY.md, and task lists in addition to core OpenClaw configuration. Those files can contain sensitive operational context, personal data, prompts, or secrets, so the backup scope exceeds what the skill metadata describes and increases unintended data collection and retention risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented skill goes beyond backup/cleanup/snapshot behavior and includes a restore operation that actively overwrites live configuration and workspace files. In an agent skill context, that scope expansion is risky because invoking the skill can mutate persistent state and undo or replace user data, which is materially different from passive backup management.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security notes claim that high-risk operations require confirmation, but the restore script immediately copies backup contents over active files with no prompt or gating. This mismatch can mislead users or higher-level agents into treating restore as safer than it is, increasing the chance of accidental destructive changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script implements an emergency restore workflow that overwrites OpenClaw state, while the declared skill purpose emphasizes backup management, cleanup, and snapshots. This scope mismatch is dangerous because users or higher-level agents may invoke the skill expecting low-risk maintenance behavior, but it contains a high-impact restoration path that can replace live configuration and workspace data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code extracts or copies backup contents directly into $HOME/.openclaw, overwriting live files and directories with only a simple text confirmation. In an agent skill context, destructive restore capability is risky because it can roll back configuration, replace memory/workspace state, and disrupt operation if triggered on an unexpected or attacker-controlled backup source.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than merely define backup schedules: it persistently modifies the user's crontab and then immediately executes a backup job. That creates lasting system state changes and triggers side effects without a confirmation step, which is risky in an agent skill because installation alone can cause unexpected execution and persistence.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads the full existing crontab, filters lines with broad grep rules, and rewrites the entire user crontab. Rewriting global scheduler state is broader than the minimal backup purpose and can accidentally remove unrelated jobs or create a persistence mechanism that survives the current session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script copies workspace and configuration data into a compressed archive without any explicit warning, consent flow, or data minimization controls. This is dangerous because backups often persist longer than live data and can silently aggregate sensitive information into a single high-value file for later theft or accidental disclosure.

Missing User Warnings

High
Confidence
95% confidence
Finding
The restore workflow overwrites current OpenClaw configuration and workspace files, but the usage/docs do not prominently warn that this is destructive. In an automation context, insufficient warning materially raises the risk of unintended data loss or rollback of current state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document presents a restore command that overwrites the current OpenClaw state, but the command block itself does not prominently warn that restoration is destructive and may replace newer files or user changes. In an emergency-recovery section placed first in the document, users are likely to copy-paste commands quickly, increasing the chance of accidental data loss even if later prose mentions confirmation or safety checks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
These recovery instructions perform state-changing restore actions that can overwrite current files and may interrupt service, but they do not place an explicit warning immediately alongside the commands about data loss, rollback implications, or downtime. In an operational recovery guide, this omission increases the chance that an operator runs destructive commands without understanding that the current state will be replaced.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The scenario-specific restore examples include copying backup files over live configuration and restarting OpenClaw services, but they do not consistently warn that these actions replace the current state and can cause downtime. Because these are copy-pasteable snippets in incident scenarios, the lack of localized safety warnings makes accidental destructive use more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script changes the user's crontab and launches a backup task immediately, all without any confirmation prompt. In an agent context this is dangerous because it combines persistent scheduling with instant execution, giving the user no chance to review the commands, paths, or data that will be processed.

Session Persistence

Medium
Category
Rogue Agent
Content
echo -e "${YELLOW}📝 日志文件: $HOME/.openclaw/workspace/memory/backup-cron.log${NC}"
echo "============================================"

# 备份现有crontab
EXISTING_CRON=$(crontab -l 2>/dev/null || true)
if [[ -n "$EXISTING_CRON" ]]; then
    BACKUP_FILE="$HOME/.openclaw/workspace/memory/crontab-backup-$(date +%Y%m%d_%H%M%S).txt"
Confidence
96% confidence
Finding
crontab EXISTING_CRON=$(crontab -l 2>/

Session Persistence

Medium
Category
Rogue Agent
Content
exit 0
fi

# 备份现有crontab
EXISTING_CRON=$(crontab -l 2>/dev/null || true)
if [[ -n "$EXISTING_CRON" ]]; then
    BACKUP_FILE="$HOME/.openclaw/workspace/memory/crontab-backup-$(date +%Y%m%d_%H%M%S).txt"
Confidence
95% confidence
Finding
crontab EXISTING_CRON=$(crontab -l 2>/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal