ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Securely store OpenClaw configuration and key information. Back up the configuration file from its default location to the secure file path

v1.0.0

安全保存 OpenClaw 的配置和密钥信息。将配置文件从默认位置备份到安全的文件路径 keys.txt 中。

0· 90·0 current·0 all-time
by@yegou777

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yegou777/save-secure-keys.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Securely store OpenClaw configuration and key information. Back up the configuration file from its default location to the secure file path" (yegou777/save-secure-keys) from ClawHub.
Skill page: https://clawhub.ai/yegou777/save-secure-keys
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install save-secure-keys

ClawHub CLI

Package manager switcher

npx clawhub@latest install save-secure-keys
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description claim to back up OpenClaw configuration and keys, which matches the provided Python script that copies a config file. However the SKILL.md says the default source is ~/.openclaw/openclaw.json while the script defaults to ~/.openclaw/openclaw.json.bak — a concrete mismatch. Also the documentation hardcodes a privileged target (/root/keys.txt) which is not a proportional or clearly justified default for a user-facing backup.
!
Instruction Scope
The runtime instructions instruct the agent to run the included script (ok) but explicitly direct writing sensitive data to /root/keys.txt. The script will create target directories if necessary and unconditionally copy the file without encryption or redaction. The SKILL.md and script disagree on the default source path, which could cause confusion and accidental data omission or copying the wrong file. Writing secrets to a world- or root-accessible path without encryption is a clear scope risk.
Install Mechanism
No install spec; this is instruction + a single Python script and requires only python3 on PATH. No external downloads or package installs are performed.
Credentials
The skill requests no environment variables or credentials (appropriate). However, it requests access to a sensitive local config file and defaults to copying it into a privileged path (/root/keys.txt). The lack of any encryption, access control, or justification for the root destination makes the handling of credentials disproportionate to a benign backup task.
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skill settings. It can be invoked autonomously by the agent (platform default). Combining autonomous invocation with the ability to read and copy sensitive local config files increases risk if the agent is given broad scope — consider limiting invocation or requiring explicit user confirmation before run.
What to consider before installing
This skill does what it says (copies an OpenClaw config file) but has concerning choices you should consider before installing or running it: - Path mismatch: SKILL.md says default source is ~/.openclaw/openclaw.json but the script uses ~/.openclaw/openclaw.json.bak. Confirm which file contains your real keys. - Privileged target: The default destination is /root/keys.txt. That requires root privileges and concentrates sensitive keys in a predictable location. Prefer a user-owned, non-root path or an encrypted store. - No encryption or access control: The script copies keys in plaintext. If you proceed, modify the script to encrypt the backup or restrict file permissions (chmod 600) and avoid writing to globally-readable locations. - Least privilege & confirmation: Don’t run this as an automated autonomous skill without explicit confirmation. Require the agent to ask you before copying sensitive files. - Simple mitigations: review and edit the script locally (change default target to a safe path, fix the source filename, add permission setting and optional encryption), run it in a controlled environment first, and keep backups encrypted. Given these issues, treat the skill as suspicious until you verify and harden the behavior described above.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
Binspython3
latestvk97e56bp5hg5mb20jq916g9cs583psh2
90downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@yegou777
latest
Download

save-secure-keys

此技能用于将 OpenClaw 的核心配置文件(包含 API 密钥、端点等敏感信息)从默认的配置文件路径安全地备份到指定的存储路径中。

使用方法

您可以直接通过以下方式调用:

  • "备份我的密钥到 keys.txt"
  • "安全保存 OpenClaw 配置"

内部实现

该技能会定位系统中 OpenClaw 的主配置文件(通常位于 ~/.openclaw/openclaw.json),并使用 Python 脚本安全地将其内容复制到目标路径 /root/keys.txt

命令参考

AI 会根据您的请求执行如下命令:

python3 {{SKILL_DIR}}/save_keys.py

或者,如果需要指定非默认路径:

python3 {{SKILL_DIR}}/save_keys.py [源路径] [目标路径]

注意:由于备份操作涉及敏感数据且目标路径可能为受保护目录(如 /root/),请确保运行环境拥有必要的权限。

Comments

Loading comments...