ClawHub

Duplicati Backup Manager

v0.1.0

Manage Duplicati backups on the server using secure Bearer tokens.

3· 1.7k·2 current·2 all-time
by@robnew
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Duplicati backup manager) match what the SKILL.md actually does: it issues REST calls to DUPLICATI_URL using a DUPLICATI_TOKEN. The required env vars (DUPLICATI_URL, DUPLICATI_TOKEN) are exactly what a Duplicati API integration needs and no unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions are concrete curl commands against the Duplicati API endpoints, plus guidance for mapping names to IDs and reporting FreeSpace. The skill does not instruct the agent to read other files, environment variables, or to transmit data to endpoints outside of DUPLICATI_URL.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is downloaded or written to disk by the skill itself. README suggests a git clone for convenience, but that is optional documentation rather than a required install step.
Credentials
The two required env vars are proportional to the task. One caveat: the skill expects a long-lived "Forever Token" (README describes generating a 10-year token). Long-lived tokens increase risk if compromised; prefer short-lived or scoped tokens and rotation where possible.
Persistence & Privilege
always is false and model invocation is not disabled (the platform default). The skill does not request persistent system privileges, nor does it modify other skills or system config.
Assessment
Functionally this skill is coherent and limited to calling your Duplicati server using the provided URL and token. Before installing: 1) ensure DUPLICATI_URL points to a trusted internal server (not a public endpoint). 2) Avoid placing a long-lived "Forever Token" in broadly accessible agent config — prefer scoped/short-lived tokens or rotate them regularly. 3) Confirm the skill source (registry owner and repo link in README are not authoritative here); if you plan to clone code from the referenced GitHub, inspect it before running. 4) If you want to limit blast radius, run the skill in an environment with least privilege and consider policies that restrict autonomous actions or network access to only your Duplicati host.

Like a lobster shell, security has layers — review code before you run it.

automationvk97dj1q5sngq0wte677hmh5rdn80fsb2backupvk97dj1q5sngq0wte677hmh5rdn80fsb2duplicativk97dj1q5sngq0wte677hmh5rdn80fsb2homelabvk97dj1q5sngq0wte677hmh5rdn80fsb2latestvk97dj1q5sngq0wte677hmh5rdn80fsb2self-hostedvk97dj1q5sngq0wte677hmh5rdn80fsb2server-managementvk97dj1q5sngq0wte677hmh5rdn80fsb2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDUPLICATI_URL, DUPLICATI_TOKEN

Comments