Security audit

Backup & Recovery Automation

Security checks across malware telemetry and agentic risk

Overview

This is a real backup tool, but it can continuously upload broad OpenClaw and workspace data to Google Drive and makes persistent host changes without enough scoping or consent.

Install only after reviewing and narrowing the backup sources. Exclude sessions, tokens, env files, and unrelated workspace data; use your own least-privilege Google Drive remote; enable encryption if sensitive data may be uploaded; run dry-run first; and only run setup if you intentionally want the daily cron job and system-wide monitoring command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill describes shell-capable operational behavior such as running rclone commands, backups, recovery actions, and scheduling, but it does not declare permissions or clearly scope those capabilities. That creates a transparency and consent problem: an agent or user may approve a seemingly simple backup skill without realizing it can execute system commands affecting files, network transfers, and scheduling.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is backup and recovery, but the detected behavior extends to modifying crontab, creating a system-wide script under /usr/local/bin, and invoking another alerting skill. Hidden persistence, cross-skill actions, and system-level file creation materially increase risk because they expand impact beyond ordinary backup functionality and may surprise users or bypass expected review.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The backup scope includes `${WORKSPACE_DIR:-/workspace}`, which is broader than the stated OpenClaw backup purpose and may capture unrelated project files, credentials, customer data, or other sensitive artifacts stored in the workspace. Because backups are sent to a remote drive and encryption is explicitly disabled, this over-collection increases the chance of unintended data exfiltration and privacy or compliance exposure.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script goes beyond one-time Google Drive configuration by installing persistent scheduled execution via cron and a host-level monitoring utility in /usr/local/bin. These changes increase system footprint and persistence, and if the backup code is later modified or compromised, it will continue running automatically with access to backed-up data and local logs.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Including the entire /workspace directory materially broadens data collection beyond the stated OpenClaw backup scope. This can unintentionally exfiltrate unrelated project files, secrets, tokens, source code, or other tenants' data to Google Drive, especially in shared or multi-project environments.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Installing a global executable in /usr/local/bin modifies the host outside the skill directory and creates a reusable command available system-wide. This increases trust and attack surface because future changes to the skill's code or path assumptions can affect any user invoking that command.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The default backup sources include both `/home/rhandus/.openclaw` and the entire `/workspace`, which exceeds the stated OpenClaw-focused backup purpose and can capture unrelated code, secrets, credentials, and other tenant data. Because this data is then synced to a remote rclone destination, the overbroad scope materially increases the chance of unauthorized data exfiltration and privacy violations.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: On backup failure, the skill invokes an external `alerting-system` via a shell command and passes dynamic values derived from runtime errors and backup names. This expands the trust boundary beyond backup/restore functionality and creates additional risk from command injection, unintended data disclosure to another subsystem, or abuse if that external skill is compromised or absent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill specifies automatic rotation where older backups are deleted after day 20, but it does not prominently warn that this is permanent data deletion and may remove the only recoverable copy of older state. In a backup tool, deletion logic is especially sensitive because users may assume backups are purely additive and safe.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill describes transmitting local OpenClaw and workspace data to Google Drive, including potentially sensitive files such as identity, user info, memory, sessions, contacts, and agent configuration, without an explicit privacy warning. Because the backup target is a third-party cloud service, this can expose confidential data, credentials, or personal information if users do not understand the scope of uploaded content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prompts for Client ID and Client Secret without masking input, warning about persistence, or explaining where credentials will be stored. This can expose secrets on screen or terminal recordings and leads users to persist sensitive OAuth material via rclone configuration without informed consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script silently installs a daily cron job that executes backup logic and retention behavior without an explicit approval step. Automatic recurring execution can continuously upload data and delete older backups, creating confidentiality and availability risks if the configuration is incorrect or the backup command is compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Creating a system-wide monitoring script under /usr/local/bin without explicit notice or confirmation makes a host-level change beyond ordinary backup configuration. Even if intended for observability, it normalizes persistent modification of the host and may expose backup status, paths, and remote names to other local users depending on permissions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is configured to back up `/workspace` and `/home/rhandus/.openclaw` to a remote Google Drive/rclone destination without any explicit disclosure, consent prompt, or data classification checks. In practice, these locations may contain source code, secrets, tokens, logs, and personal files, so silent transfer to third-party storage creates a meaningful confidentiality and privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal