ClawHub

OpenClaw Backup

Security checks across malware telemetry and agentic risk

Overview

This is a real backup and migration skill, but restore can change the user's OpenClaw state and extract an unvalidated archive into the home directory while handling sensitive credentials and history.

Review before installing. Use this only for backups you created and trust, store archives in an encrypted/private location, and do not restore archives from other people or shared storage without inspecting their contents first. Be aware that restore can replace active OpenClaw state and may sync skills after extraction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README advertises behavior beyond the stated backup-only purpose, specifically restore and automatic installation. This kind of capability mismatch is dangerous because users or hosting platforms may grant trust based on a narrow description while the skill can perform broader state-changing actions on the system.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented restore workflow materially expands the skill's authority from backup into data overwrite and environment modification. Hidden or under-declared restore behavior increases the risk of users invoking destructive or high-trust operations without informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic installation of OpenClaw is a software-management capability that exceeds a typical backup tool's expected scope. If triggered unexpectedly, it can download and install software, expanding supply-chain and system-integrity risk beyond what a user intended when using a backup skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Starting the Gateway during restore gives the skill operational control over services, not just file recovery. This broadens impact from backup/restore into process execution, which can expose services, change runtime state, or surprise users in environments where service startup has security implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes backing up and transferring highly sensitive content such as conversations, memory, configs, and credentials, but does not provide clear privacy, encryption, retention, or transport warnings. Users may store or move archives insecurely, leading to credential leakage and exposure of private data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that backups include conversation history, memory embeddings, configuration, and encrypted credentials, but it does not prominently warn that the archive is highly sensitive. Users may copy these archives to desktops, external drives, or shared locations without understanding that compromise of the backup could expose private history, system context, and secrets that may be decryptable in the target environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restore section mentions backup/restore workflow but does not prominently emphasize that restore changes the current OpenClaw installation and can overwrite or replace active state. Even if existing data is renamed to a timestamped backup, users can still disrupt live environments, lose track of prior state, or restore malicious/tampered archives into a trusted installation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal