ClawHub

safe-backup

v1.0.5

Backup OpenClaw state directory and workspace. Includes excluding sensitive files, packaging for backup. Triggered when user asks to backup, export, or save...

0· 750·1 current·1 all-time
byAIWareTop@hacksing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code and SKILL.md: the script copies ~/.openclaw and workspace, excludes sensitive patterns, and packages a tar.gz. The guidance about storing or pushing backups is advisory only and not automated.
Instruction Scope
Runtime instructions and the script operate on local filesystem paths and temporary directories and only produce a local tarball. The script reads optional environment variables OPENCLAW_STATE_DIR and OPENCLAW_WORKSPACE_DIR (not declared in metadata) and relies on standard commands (rsync, tar). It does not upload data or transmit secrets by itself, but it instructs the user how to push to a remote repo (manual steps).
Install Mechanism
No install spec (instruction-only with a shipped script) — low risk. The script uses standard system tools (rsync, tar). Note: rsync is assumed available but may be absent on some Windows setups; SKILL.md calls this out.
Credentials
The skill declares no required credentials or env vars, which is appropriate. The script optionally respects OPENCLAW_STATE_DIR and OPENCLAW_WORKSPACE_DIR and uses $HOME/$TMPDIR/$TEMP — reasonable for locating files. No secrets are requested or written by the skill. Users should note that excluded files (e.g., auth-profiles.json) are intentionally not backed up and must be re-authenticated after restore.
Persistence & Privilege
The skill is not forced-always, does not modify other skills or global agent settings, and does not persist credentials. Autonomous invocation is allowed (platform default) but the skill's actions are local and user-invocable.
Assessment
This skill appears to do what it says, but before installing or running: 1) verify rsync and tar are available on your environment (Windows may need Git Bash/MSYS/WSL); 2) review the generated tarball contents before uploading anywhere — the script excludes many sensitive patterns but you should still inspect the archive; 3) encrypt backups before storing in the cloud or a repo; 4) be aware auth-profiles.json and other credential files are intentionally excluded and you will need to re-authenticate services after restore; and 5) if you want automated remote upload, implement it separately and review its access requirements (this script does not perform remote uploads itself).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a20gwhby2nshbwrdzwdy30h81xmx1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments