ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

myclaw-backup

v2.0.0

Backup and restore all OpenClaw configuration, agent memory, skills, and workspace data. Part of the MyClaw.ai (https://myclaw.ai/skills) open skills ecosyst...

1· 1.2k·14 current·15 all-time
byLeo Ye@leoyeai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, declared required binaries (node, rsync, tar, python3, openclaw), and the provided scripts (backup/restore/schedule/serve + server.js + UI) all align with a backup-and-restore capability for OpenClaw. The files back up and restore ~/.openclaw and related data as described.
Instruction Scope
SKILL.md and the scripts explicitly read and overwrite ~/.openclaw, modify crontab (schedule.sh), and optionally start an HTTP server for upload/download/restore. That behavior matches the stated purpose, but the runtime instructions do grant the skill broad read/write access to highly sensitive local data (bot tokens, API keys, session history) and ability to change system crontab — these are expected for a full backup tool but are high-trust operations and worth caution.
Install Mechanism
No install spec (instruction-only) and all code is bundled in the skill. Nothing is downloaded from untrusted URLs or installed from remote package sources by the skill itself.
Credentials
The skill declares no required environment variables, which is proportionate. However the serve.sh/server.js flow requires the operator to provide a token; serve.sh passes that token on the command line and environment when launching node. Passing secrets on the command line may expose them to other local users (ps output) and is a practical security risk though not inconsistent with the skill's function.
Persistence & Privilege
always:false (no forced global presence). The skill can add a cron entry (schedule.sh) to persist periodic backups — this is intentional for a backup tool but is a persistent change to the system crontab and should be enabled only with operator consent. The HTTP server also listens for network connections (server.listen uses 0.0.0.0), which is a persistent network presence while running.
Assessment
This skill appears to do exactly what it claims (full OpenClaw backup/restore) but it operates on highly sensitive files and offers a built-in HTTP server and cron scheduling — review these points before installing: - Trust boundary: backups contain bot tokens, API keys, session history and channel credentials. Only install/run on a trusted machine and protect the resulting .tar.gz files. - HTTP server defaults: serve.sh starts the Node server and binds to 0.0.0.0; although docs warn not to expose it, the default listen address makes it reachable on all interfaces. If you only want local access, modify the server to bind to 127.0.0.1 or run it behind a firewall/reverse proxy with TLS. - Token handling: serve.sh passes the token on the node command line and environment; command-line arguments can be visible to other local users via ps. Prefer passing the token via a protected environment or modify server.js/serve.sh to read the token from a secured file or prompt. - Exposure via URL: the UI embeds the token in links (query string). Query strings and logs may leak tokens (reverse proxies, access logs). Avoid sharing these URLs publicly; prefer scp/ssh when migrating between machines. - Cron changes: schedule.sh modifies the system crontab. Review the cron entry before enabling; use --disable to remove. If you lack admin consent, do not enable scheduling. - Restore safety: follow the skill advice — always run restores with --dry-run first. The restore scripts prompt for confirmation when not dry-run but the server can auto-confirm (echo 'yes' | restore) when invoked via the local restore endpoint; ensure only trusted local users can invoke that endpoint. - Audit and harden: inspect server.js, backup.sh, restore.sh yourself before using. Consider hardening: restrict server.listen to localhost, drop token from argv, enable TLS or run behind SSH tunnel, and ensure backup files have strict permissions and are transferred using scp/sftp. If you want to proceed: run backups locally first, inspect archives, test restore with --dry-run, and avoid starting the HTTP server on a machine exposed to untrusted networks. If you cannot review/modify code yourself, treat this as a high-trust skill and consider alternative migration methods (scp of archive) instead of enabling the built-in HTTP server.
scripts/server.js:155
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

backupvk974prq0t2fmeaac0r1whweb3x827fzxlatestvk97dr266cjjhrgepjy8h17x9fn83rnt3migrationvk974prq0t2fmeaac0r1whweb3x827fzxmyclawvk974prq0t2fmeaac0r1whweb3x827fzxrestorevk974prq0t2fmeaac0r1whweb3x827fzx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, rsync, tar, python3, openclaw

Comments