ClawHub

Keep My Claw — OpenClaw Backup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real backup skill, but it gives the agent broad access to credentials, off-site uploads, billing setup, restores, and backup deletion with too little user control.

Install only if you intentionally want a third-party encrypted backup of your full OpenClaw agent, including credentials and cron jobs. Prefer creating the account and password yourself, use an agent-scoped API key instead of an admin key where possible, avoid putting the password/API key/passphrase in chat logs, review the file list before first upload, and be careful with restore and prune because they can overwrite local files or delete remote backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes generic terms like "backup", "restore", and "snapshot", which are common in normal conversations and could cause this skill to activate when the user did not intend to invoke a third-party backup workflow. Because the skill handles credentials, off-site data transfer, and restore operations, accidental invocation materially increases the chance of unintended account creation, data exposure, or destructive restore actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The restore section tells users to run restore commands without a prominent warning that local files, credentials, cron jobs, and configuration may be overwritten or altered. In this context, restore affects the entire agent state, so omission of a destructive-operation warning can lead to unintended loss of current data or rollback to stale or maliciously seeded backups.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script automatically transmits a highly sensitive backup bundle containing full workspaces, credentials, configuration, and cron job data to a remote API without explicit confirmation, scoping controls, or a clear warning to the user. In this skill context, that is especially dangerous because agent workspaces commonly contain secrets, source code, tokens, and operational data, so silent exfiltration to a configured endpoint creates a substantial confidentiality risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This script performs irreversible backup deletions in bulk based solely on a numeric retention argument, with no confirmation prompt, dry-run mode, or explicit destructive-action safeguard. In an agent skill context, where scripts may be invoked automatically or by users who do not fully inspect shell code, this increases the risk of accidental data loss from misuse, misconfiguration, or unexpected API results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal