ClawHub

git-backup

Security checks across malware telemetry and agentic risk

Overview

This is a real workspace backup skill, but it can upload sensitive OpenClaw memory, identity, user, and skill files to a Git remote with weak safeguards.

Install only if you intentionally want OpenClaw memory, identity, user, and skills data copied to a private Git repository. Use a dedicated private repo and least-privilege token, avoid logging tokens, do not override BACKUP_DIR, and review or remove the force-push and automatic watcher behavior before enabling heartbeat, cron, or daemon mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill is configured to trigger on very common terms such as "git", "github", and "backup", which can cause unintended invocation in ordinary conversations unrelated to workspace backup. Because this skill handles repository creation and data exfiltration to external services, overly broad activation increases the chance of accidental credential prompting or unintended transmission of workspace contents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically pushes workspace contents to a remote Gitee repository without any interactive confirmation or dry-run safeguard. In this context, the backed-up files include highly sensitive agent state such as memory, identity, user, and skills data, so an accidental run or misconfigured repository can exfiltrate private information to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs an unconditional `rm -rf` on `BACKUP_DIR`, which is environment-overridable and therefore subject to accidental misconfiguration. If `BACKUP_DIR` is set to an unintended path, this can irreversibly delete arbitrary local files without warning.

Missing User Warnings

High
Confidence
97% confidence
Finding
The fallback to `git push -f` can overwrite remote history without user approval, destroying prior backups or audit history. In a backup script, force-pushing is especially dangerous because it undermines the integrity and recoverability expectations of backup data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sends the Gitee access token in the URL query string when fetching the username. Query-string secrets are commonly exposed through shell history, process listings, HTTP logs, proxies, and monitoring systems, making accidental credential disclosure more likely even over HTTPS. In this backup-setup context, the token is a real credential with repository-management scope, so exposure could allow unauthorized access to the user's Gitee resources.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script automatically invokes a backup helper whenever watched files change, and it does so whenever GITEE_TOKEN and GITEE_REPO are present, with no confirmation, consent prompt, scope restriction, or clear disclosure in this file about what data will be transmitted. In an agent/skill context that watches sensitive workspace files such as memory, identity, and skills directories, this creates a real risk of unintended exfiltration of potentially sensitive repository contents to a remote service if credentials are configured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal