ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-backup-guide

v1.0.0

Automates hourly OpenClaw workspace backups with SQLite database export, optional NAS sync via rsync, and GitHub version control commits and pushes.

0· 437·0 current·0 all-time
by@lancelot3777-svg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The description promises a general-purpose backup helper (SQLite export, optional NAS sync, GitHub commits). The included scripts, however, are tied to a specific project and environment: backup-db.js points at a hard-coded projectDir ('projects/the-orbital') and requires better-sqlite3 from that project's node_modules; backup-nas.sh hard-codes SRC as /home/killingtime/hub-local and a NAS host user@192.168.4.95. The README/SKILL.md say 'rsync' for NAS sync, but the script uses tar+scp. These hard-coded targets and mismatches are not proportional to a reusable backup skill and suggest the package is a personal snapshot rather than a generic tool.
!
Instruction Scope
The SKILL.md instructs running the supplied scripts on an hourly cron and to commit and push the workspace (including database backups) to GitHub. The actual backup-nas.sh will create a tarball of the entire workspace and scp it to a remote host (hard-coded), and suppresses stderr (2>/dev/null) so failures/errors are hidden. backup-db.js directly accesses a specific project's DB path and loads a module from that project's node_modules. The scripts read and transmit whole workspace content and a DB file — operations that go beyond a minimal, clearly parameterized backup guide and could lead to unintended data exposure if the remote target is not controlled by the user.
Install Mechanism
There is no automated install/download mechanism; this is an instruction + script bundle. No external URLs or archive extraction are performed by the skill itself, which reduces supply-chain risk. However, the included scripts will execute local filesystem and network operations when run.
!
Credentials
The skill declares no required environment variables or credentials (which is appropriate), but the scripts embed environment-specific values (home path, project path, NAS username and IP) in plain text. SKILL.md suggests using GitHub SSH keys or tokens but does not request them programmatically — nonetheless the practice of committing DB backups to a repo and scp-ing to a hard-coded host is disproportionate without clear justification or parameterization. Also, error suppression in the scripts can hide failed authentication or transfer activity.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not modify other skills or system-wide agent settings. It relies on the user to schedule cron jobs; autonomy flags are default and not elevated here.
What to consider before installing
This bundle looks like a personal backup snapshot repackaged as a skill. Before installing or running anything: - Inspect and edit both scripts. Replace hard-coded paths (projectDir, SRC) and the hard-coded NAS host/user with variables you control. Do not run the scripts until those are set to your intended locations/hosts. - Note the documentation mismatch: SKILL.md/README mention rsync, but backup-nas.sh uses tar+scp. Decide which method you actually want (rsync generally preserves deltas and is safer for large repos). - Remove or avoid scp to unknown hosts. The script will send a full workspace tarball and a DB file to 192.168.4.95:lstone by default — that could exfiltrate sensitive data if left unchanged. If you do need remote backups, point to your own trusted target or use encrypted transfer/at-rest encryption. - The scripts suppress stderr (2>/dev/null), which hides failures and could mask problems or abuse; remove that redirection while testing so you can see errors. - Avoid committing sensitive databases to a Git repo unless the repo is private and you have encryption or other access controls. Prefer storing backups outside VCS or encrypting the backup artifacts before committing. - backup-db.js expects better-sqlite3 in the target project's node_modules and a very specific folder layout; adjust the script to take configurable paths or to use a bundled dependency to be more robust. - Run the scripts in a safe test environment first (not on your production workspace). Consider doing a dry-run (no scp/git push) to validate behavior. Given the hard-coded personal values and doc/code mismatches, treat this as a potentially sloppy or repurposed personal utility rather than a vetted, generic backup skill. If you want to use it, sanitize and parameterize the scripts and verify endpoints/permissions first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978bb0hbj9t37t3r7q7qrb75181q880

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments