ClawHub

OCTOOL for backup

v1.0.17

Openclaw Visual Configuration Assistant. Provides secure wizard for local/Git backup and workspace migration.

0· 226·0 current·0 all-time
by@donnieclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description and SKILL.md describe a local/browser backup and git-integration assistant. The provided html implements a frontend-only UI and explains GitHub PAT usage; there are no unrelated required binaries, env vars, or installs requested, so the requested footprint aligns with the stated purpose.
Instruction Scope
SKILL.md and the embedded oc-tool.html state the tool runs entirely in the browser, only reads files the user drags in, and only calls api.github.com when the user opts into Git mode. The tool also generates shell commands for manual execution. These instructions remain within scope, but the file makes strong claims about input sanitization and 'no other network calls' — those claims are plausible but should be validated by reviewing the full HTML/JS (e.g., search for fetch/XHR/WebSocket and any dynamic eval or encoded network endpoints).
Install Mechanism
Instruction-only skill with no install spec and no code executed by the platform. No downloads, package installs, or archive extraction are present in the manifest — lowest-risk installation model.
Credentials
No required environment variables or credentials declared. The only credential the tool optionally uses is a GitHub PAT provided by the user in-GUI and (per the code) stored in sessionStorage; that is proportional to the claimed GitHub write/read use. The SKILL.md recommends fine-grained PAT scopes, which is appropriate.
Persistence & Privilege
Skill is not always-on and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide agent settings. Generated shell snippets write to ~/.bash_profile only when the user chooses to run them; that behavior is described and gated by manual copy/paste.
Assessment
This skill appears coherent for a browser-based backup wizard, but take these precautions before installing or using it: 1) Manually review the full oc-tool.html (search for fetch/XHR/WebSocket, eval, atob/decoded strings, or hidden endpoints) to confirm there are no hidden network calls or obfuscated code. 2) Test the page offline (disconnect network) and confirm DevTools → Network shows zero requests before entering any token. 3) If you use Git mode, create a fine-grained GitHub PAT limited to the specific repo and only 'contents: read & write' as recommended. 4) Always inspect generated shell commands before pasting them into your terminal; even well-intentioned scripts can be harmful if executed incorrectly. 5) Prefer running the tool in a disposable or isolated browser profile/tab and close the tab to ensure sessionStorage is cleared. If you want higher assurance, provide the full oc-tool.html for a complete code audit (I only saw a truncated excerpt here).

Like a lobster shell, security has layers — review code before you run it.

latestvk97b49ed26g4tjycz9f5gzmr9184ghth

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis

Comments