ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

System Integrity And Backup

v0.1.0

Encrypted backups, integrity verification, and data retention enforcement for Greek legal requirements (5-20 year retention). AES-256.

0· 633·2 current·2 all-time
byStems@satoshistackalotto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binaries (jq, openssl, tar), and required env vars (OPENCLAW_DATA_DIR, OPENCLAW_ENCRYPTION_KEY) are appropriate and expected for a local encrypted backup + integrity tool for the OpenClaw data tree.
Instruction Scope
SKILL.md confines operations to OPENCLAW_DATA_DIR and shows only local file operations and CLI commands (no network exfiltration). However it claims to "run silently in the background" and to never write the encryption key to disk while also providing scheduling commands — the instructions do not explain how scheduled/autonomous runs will obtain the ephemeral OPENCLAW_ENCRYPTION_KEY safely. Also one example restore-test target is /tmp/verify-restore (outside OPENCLAW_DATA_DIR), which contradicts the note that operations are local to OPENCLAW_DATA_DIR and raises a plaintext exposure risk during verification.
Install Mechanism
Instruction-only skill with no install spec or code files—lowest install risk. The SKILL.md uses system binaries already expected to be present; the single inline hint to use 'sudo apt install' is an OS-specific convenience but not an installer hidden in the skill.
Credentials
Only two env vars are required and both are directly relevant. Operationally, requiring OPENCLAW_ENCRYPTION_KEY to be present in environment for scheduled jobs implies you must manage secret persistence (secret manager, env injection for service, or operator session). The skill's claim to "never write [the key] to disk" is reasonable but needs an explicit, secure method for the key to be available to automated/scheduled verification runs.
Persistence & Privilege
always:false and no claims to modify other skills or system-wide config. The skill's autonomy (agent-invocable) is normal. There is no request for persistent privileges beyond access to OPENCLAW_DATA_DIR via the declared environment variable.
Assessment
This skill appears to do what it claims (local AES-256 encryption, hashing, retention rules). Before installing, confirm these operational points: 1) Ensure the openclaw CLI referenced in the docs actually exists in your environment and you trust it. 2) Decide how scheduled jobs will get OPENCLAW_ENCRYPTION_KEY securely (use a secrets manager or orchestrator injection rather than leaving a long-lived plaintext export in shell startup files). 3) Change verification restore targets to a secure, access-controlled location inside your data directory (or ensure /tmp is encrypted and access-limited) to avoid writing plaintext backups to an insecure temp path. 4) Verify scheduling behavior (how/where background jobs run) because the SKILL.md describes background operation but provides no service/daemon install steps. 5) Confirm that human-approval hooks for deletions and migration rollbacks are implemented and tested. If these points are clarified and implemented, the skill is coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vfkpem9xwstph7s7s0cxts81k86n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsjq, openssl, tar
EnvOPENCLAW_DATA_DIR, OPENCLAW_ENCRYPTION_KEY

Comments