Restart Recovery
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: restart-recovery Version: 1.0.0 The skill bundle implements workflow state management but contains a path traversal vulnerability in `scripts/checkpoint_tool.py`, where the `--workflow` argument is used to construct file paths without sanitization, allowing JSON files to be written outside the intended directory. Additionally, `SKILL.md` includes a 'Required operating rule' that instructs the AI agent to automatically resume unfinished workflows on startup; while aligned with the skill's purpose, this creates a persistence mechanism that could be abused if a malicious checkpoint file is planted on the filesystem.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad workflow ID or poisoned checkpoint could overwrite or create local .json/.lock files outside the skill’s checkpoint folder.
The workflow ID is used directly as a filesystem path component with no normalization or validation. Values containing '../' or an absolute path could make start/update/complete or resume lock creation read or write outside the intended memory/checkpoints directory.
def cp_path(workflow_id: str) -> Path:
return ROOT / f"{workflow_id}.json"
def lock_path(workflow_id: str) -> Path:
return ROOT / f"{workflow_id}.lock"Restrict workflow IDs to a safe slug format, reject path separators and absolute paths, resolve the final path, and verify it remains inside memory/checkpoints before reading or writing.
If a checkpoint file is edited or planted, the agent may resume the wrong step, skip work, or act on misleading checkpoint content.
The resume path loads a persistent checkpoint from disk and returns it after status/expiry checks, but does not recompute and compare checkpointHash or validate the JSON schema before the agent may act on it.
obj = load(p)
if obj.get("status") not in {"in_progress", "blocked"}:
continue
...
print(json.dumps(obj, indent=2))Validate the checkpoint schema and hash before returning it, treat checkpoint notes as data rather than instructions, and require explicit user approval before resuming high-impact actions.
Future agent sessions may automatically check and resume local workflows, and a local scheduled monitor may run repeatedly if the user sets it up.
The skill intentionally adds persistent startup behavior and recommends a recurring host-scheduled stale-check monitor. This is disclosed and aligned with restart recovery, but it persists beyond a single invocation.
On startup, check `memory/checkpoints/*.json` for unfinished workflows... continue from the last completed idempotent step. Use host scheduler (launchd/systemd/cron)... Run every 10 minutes.
Only add the AGENTS.md rule or scheduler entry if you want this persistent behavior, and document how to disable it.