clawmerge

Security checks across malware telemetry and agentic risk

Overview

This is a real backup/restore skill, but it handles credentials, sessions, cron, and package installation in ways that need careful review before use.

Install only if you specifically need full OpenClaw migration or disaster recovery. Treat created backups as sensitive credential archives: do not share them, store them encrypted, prefer --dry-run first, use --no-sessions unless needed, avoid restoring untrusted backups, and review any cron, .env, auth, session, requirements.txt, or script inventory changes before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (25)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and documents shell execution, file reads/writes, backup/restore of system and workspace data, and cloud/NAS upload scenarios, but no explicit permissions are declared. That creates a trust and policy-bypass risk: an agent or reviewer may treat the skill as low-privilege while it can invoke powerful filesystem and shell operations on sensitive OpenClaw data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: This is a true high-risk mismatch because the documented purpose sounds like a backup/merge utility, yet the behavior includes system-wide script discovery, dependency/environment inventory, package installation during restore, direct crontab restoration, and handling of secrets such as tokens, .env, auth config, and sessions. Those extra behaviors materially expand the attack surface into persistence, environment modification, credential exposure, and potential code execution beyond what a user may reasonably expect from a backup skill.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script scans broad host locations such as `~/scripts`, `~/bin`, and `/opt/scripts`, which exceeds the stated OpenClaw workspace backup/restore scope and inventories files outside the workspace. In an agent skill context, this creates unnecessary access to unrelated user/system metadata and can expose sensitive operational details during backup or export flows.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Reading the user's crontab gives the skill visibility into scheduled host tasks, which may reveal sensitive script paths, maintenance jobs, backup tooling, or secrets encoded in command lines. That host-level discovery is not disclosed in the manifest and is broader than a normal workspace backup function, making it an over-privileged behavior for this skill context.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script opens arbitrary discovered Python files and extracts imports and embedded config filenames, which increases data collection beyond simple path inventory. This can leak technology stack details, internal module names, and references to configuration files from unrelated host scripts, enlarging the privacy and reconnaissance impact if the generated inventory is exfiltrated or restored elsewhere.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script restores and stages a `.env` file containing secrets, but the skill metadata and user-facing scope emphasize workspace, sessions, cron, and configuration export/restore rather than secret material. In this context, silently including environment secrets broadens the trust boundary and can reintroduce API keys or credentials from an untrusted or stale backup into the live environment.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script restores `.backup-sessions` whenever the backup contains it because the condition is `WITH_SESSIONS=true || HAS_SESSIONS=true`. That contradicts the documented optional behavior and can import conversation history into the live agent state without explicit user opt-in, creating privacy and integrity risks.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Although the tool claims restore defaults to a safe merge that avoids overwriting running configuration, it still copies backed-up session data into `~/.openclaw/agents/main/sessions` by default when present. Session state is part of live operational context, so writing it automatically can alter agent behavior, leak prior conversations, or contaminate current state.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The restore script executes `pip3 install -r` on a requirements file taken directly from the backup, which turns a data restore operation into code acquisition and execution. In the context of a backup/restore skill advertised as safe merge-style restoration, this is dangerous because a tampered backup can cause installation of malicious packages or trigger arbitrary code execution through package install hooks and dependency resolution.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Installing Python dependencies from backup contents is beyond a narrowly scoped restore operation and can execute attacker-controlled supply-chain inputs. Even if intended for convenience, this behavior materially increases risk because a compromised backup can introduce malicious packages or unsafe versions into the host environment.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: `crontab "$BACKUP_DIR/03-cron-configs/system-crontab.txt"` replaces the user's entire crontab, contradicting the skill's stated safe merge/non-overwrite framing. A malicious or stale backup can therefore silently persist arbitrary scheduled commands, disable existing jobs, or establish long-term execution on the system.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The restore path extracts the archive directly into the live workspace with `tar -xzf ... -C`, which can overwrite existing files despite the skill metadata claiming a default safe merge behavior. In a backup/restore skill, this mismatch is especially dangerous because users are likely to trust the tool during migration or disaster recovery and may unintentionally destroy current configuration or memory state.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The merge logic appends `TOOLS.md` from the source workspace directly into the destination file without deduplication, validation, or user confirmation, contradicting the stated non-overwrite/safe-merge behavior. In this skill context, `TOOLS.md` may influence agent behavior or trusted workspace instructions, so blindly concatenating content can corrupt configuration or import untrusted directives from another workspace.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad, common words such as '备份', '恢复', '迁移', and '换电脑', which raises the risk of accidental invocation in ordinary conversation. In the context of a skill that can read/write sensitive files, restore sessions, and potentially modify cron or system config, unintended triggering can lead to unexpected high-impact operations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide explicitly instructs users to generate and store a `public-config.json` file and later states that it includes operationally sensitive metadata such as stock holdings, channel parameters, group IDs, and retry rules. Even if secrets are omitted, this kind of configuration can reveal internal topology, business logic, and identifiers that may aid profiling, targeting, or accidental disclosure if the workspace or backups are shared.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The script persists a JSON inventory containing discovered script paths and derived metadata without warning the user that host file structure and related details will be stored. While not directly exploitable as code execution, this creates a privacy and operational security issue because the output may later be backed up, shared, or restored to another system.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: When --with-sessions is used, the script copies conversation history from the sessions directory into the backup archive, but only gives a brief note after exporting rather than a clear opt-in warning about sensitive content. In a backup/migration skill, this context increases risk because users may routinely share or move archives and unintentionally disclose private prompts, credentials, or other sensitive chat data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script intentionally includes highly sensitive material in the backup set: gateway tokens in openclaw.json, environment secrets in .env, agent auth config, and session transcripts. While this is framed as disaster recovery, there is no explicit consent prompt, sensitivity warning, encryption, or restricted-permission handling, so a user can easily create a portable archive containing credentials and private conversations that could be exposed if stored, shared, or restored insecurely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: In normal mode, the user gets a generic restore confirmation but no specific upfront warning that conversation history may be copied into place automatically. Because session data can contain sensitive prompts, credentials, or personal data, restoring it without clear notice undermines informed consent and can cause unintended disclosure or state poisoning.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script modifies the user's scheduler configuration without an interactive warning or confirmation, which is unsafe because cron is a persistence and execution mechanism. In this skill context, users expect backup restoration, not silent replacement of scheduled tasks that may run later with user privileges.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script copies configuration files from backup into `$WORKSPACE_DIR` without validating that the destination is set or clearly disclosing overwrite behavior. This is risky because restore data may replace active configuration, alter runtime behavior, or write to an unintended path if environment assumptions are wrong.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script installs Python packages from backup-provided requirements without any meaningful warning or user approval. Because package installation can fetch and execute untrusted code, lack of disclosure or confirmation makes this an unsafe hidden side effect for a restore tool.

Credential Access

High

Category: Privilege Escalation
Content: echo -e " ${RED}✗ openclaw.json not found!${NC}" fi # Backup .env if exists if [ -f "$OPENCLAW_DIR/.env" ]; then cp "$OPENCLAW_DIR/.env" "$BACKUP_DIR/system/.env" echo " ✓ .env"
Confidence: 99% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: fi # Backup .env if exists if [ -f "$OPENCLAW_DIR/.env" ]; then cp "$OPENCLAW_DIR/.env" "$BACKUP_DIR/system/.env" echo " ✓ .env" fi
Confidence: 99% confidence
Finding: .env"

Session Persistence

Medium

Category: Rogue Agent
Content: ### 4. 灾难恢复（危险全覆盖模式） ```bash bash skills/clawmerge/scripts/one-click-full-restore.sh /path/to/openclaw-disaster-backup.tar.gz --unsafe-overwrite ``` 只有在你明确要用备份覆盖当前运行环境时才使用。它可能覆盖：
Confidence: 93% confidence
Finding: write ``` 只有在你明确要用备份覆盖当前运行环境时才使用。它可能覆盖： - `~/.openclaw

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal