Backup & Recovery Automation
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Backups may contain private user data, agent memory, session material, and contact secrets; anyone with access to the Drive backup or rclone configuration could read or restore them.
The documented backup set includes active sessions, agent memory, user information, and contact environment data that would be copied to Google Drive.
Destino: Google Drive ... sessions/ # Sesiones activas ... MEMORY.md ... USER.md # Información usuario ... .openclaw_contacts.env
Review and narrow the backup sources, exclude secrets/session stores unless truly needed, enable encryption before cloud backup, and document exactly what sensitive files are included.
After setup, backups can keep running and uploading data every day even if the user forgets the cron job exists.
The setup script installs a persistent daily backup job and creates a system-wide monitoring helper.
CRON_JOB="0 3 * * * cd /workspace/skills/backup-recovery && node src/index.js run ..." ... | crontab - ... cat > /usr/local/bin/check-backup-status
Only run setup if persistent daily backups are intended; inspect crontab after installation and remove the job if automatic backups are not desired.
A malformed or tampered configuration value could cause unintended shell behavior or make the backup operate on the wrong paths.
rclone commands are assembled by string concatenation from configuration values and executed through a shell.
const allSources = this.config.sources.join(' '); ... const { stdout, stderr } = await execAsync(command, { shell: true });Use argument-array process execution instead of shell strings, validate and quote all paths/remotes, and require confirmation for high-impact sync or deletion operations.
Users must grant cloud and notification access and should understand which account will receive the backups.
The README discloses expected credentials and filesystem access, but the registry metadata lists no primary credential or environment requirements.
Este skill requiere: - Credenciales OAuth Google Drive - Token Telegram Bot - Acceso a sistema de archivos
Use least-privilege Google Drive OAuth scope, protect the rclone configuration, avoid shared accounts, and declare credential requirements in metadata.
The skill depends on the user's installed rclone binary and configuration, which may vary by system and provenance.
The setup script depends on a local rclone installation even though the registry requirements declare no required binaries.
if ! command -v rclone &> /dev/null; then ... echo " sudo apt install rclone" ... exit 1
Declare rclone as a required binary, document supported versions, and verify rclone is installed from a trusted source.