ClawHub
Back to skill

Security audit

Backup & Restore

Security checks across malware telemetry and agentic risk

Overview

This is a coherent backup and restore skill with high-impact but disclosed access to OpenClaw data, credentials, and configured cloud storage.

Install only if you are comfortable giving the skill access to your OpenClaw workspace, credentials, and backup destinations. Protect ~/.openclaw/credentials/backup/ with strict local permissions, use narrowly scoped cloud credentials where possible, keep the backup passphrase in a password manager, and test restores before relying on the backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The S3 setup instructs users to place long-lived cloud credentials in a local file under ~/.openclaw without any warning about sensitivity, file permissions, rotation, or safer alternatives. In a backup skill, these credentials often grant persistent access to offsite storage, so careless handling increases the risk of credential theft and unauthorized backup access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The R2 instructions tell users to generate and save access keys but do not warn that the token material is sensitive or should be protected like a password. Because these keys provide API access to backup storage, exposure could allow unauthorized reads or writes depending on token scope.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The B2 section directs users to save application keys locally and authorize the CLI, but omits any guidance on protecting those credentials or avoiding shell history and file exposure. In a backup context, leaked keys can enable unauthorized backup manipulation or disclosure if permissions are broader than intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The GCS instructions tell users to download and save a service account JSON key without warning that this file is a highly sensitive bearer credential. Service account keys are commonly high impact because anyone who obtains the JSON can authenticate directly to Google Cloud and access resources granted to that account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Google Drive section instructs users to copy rclone.conf but does not explain that the file may contain refresh tokens or other OAuth secrets. If that config is exposed, an attacker may gain ongoing access to the linked Drive remote and any stored backups.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs the agent to persist the backup encryption passphrase to disk in a fixed location, but the user-facing flow does not clearly warn that this highly sensitive secret will be stored locally and may be recoverable by anyone who later gains access to the host or backups of the host. In a backup skill, this is especially risky because the same passphrase protects archived credentials and data, so local persistence weakens the trust boundary and can undermine encryption guarantees.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow tells the agent to collect cloud-provider credentials and save them under ~/.openclaw/credentials/backup/, but it does not explicitly warn the user that these sensitive tokens will be stored locally or describe the associated risks. Because this skill handles backup and disaster recovery, those credentials may grant access to entire remote backup repositories, so silent local storage increases the chance of credential theft and broader data compromise if the machine is later accessed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal