Bud Backup Tool

Security checks across malware telemetry and agentic risk

Overview

This backup skill does what it says locally, but it handles credentials and can push backups to a hardcoded GitHub repository without strong safeguards.

Review before installing. Use only for local backups unless you have inspected and changed the GitHub destination. Do not push archives containing credentials unless they are encrypted and going to a private repository you control. Test restore on a disposable OpenClaw profile first, because restore can overwrite current configuration and credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The manifest declares only "exec" and "read", but the documented behavior clearly includes creating archives, restoring files, and pushing backups remotely, which require write and network-like capabilities. This mismatch undermines user trust and permission boundaries, especially because the skill handles highly sensitive data such as credentials and identity files.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill advertises backup/restore of OpenClaw configuration, skills, memory, and workspace, but the content also covers remote GitHub synchronization and backup of additional highly sensitive directories like credentials, identity, vpn-mesh, and health-monitor. This description-behavior gap can mislead users into authorizing broader collection and exfiltration of secrets than they intended.

Scope Creep

High

Confidence: 97% confidence
Finding: The manifest allows only "exec" and "read", while the documentation describes writing backup archives and overwriting files during restore. This discrepancy means the documented behavior exceeds the declared security model, creating a dangerous integrity risk because restore can destroy or replace local state.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill description says it backs up configuration, skills, memory, and workspace files, but the code silently includes identity, credentials, vpn-mesh, and health-monitor directories. This mismatch hides collection of far more sensitive data than advertised, increasing the risk of credential theft, privacy exposure, and operator deception.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The manifest presents the tool as backup/restore functionality, but the implementation also clones, commits, and pushes archives to GitHub. That undisclosed network export materially changes the trust model and can lead users to expose sensitive local state off-device without informed consent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Remote GitHub sync is beyond the narrowly described local backup-and-restore purpose and introduces unnecessary exfiltration risk. In the context of this tool, which archives highly sensitive OpenClaw state, adding hidden outbound transfer makes the skill substantially more dangerous.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly includes credentials and API keys in backups and encourages pushing backups to GitHub with only a weak suggestion to keep the repository private. Because backups may contain authentication material and identity data, this creates a serious exfiltration and account-compromise risk if the repo is misconfigured, shared, or the token is exposed.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The restore documentation presents a destructive operation without a strong, front-loaded warning that it can overwrite existing files and destroy current local state. In a skill that handles configuration, identity, memory, and credentials, accidental restore could cause data loss, credential rollback, or replacement with stale or attacker-controlled content.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The backup set explicitly includes credentials and related sensitive state, and another code path can push the resulting archive to GitHub with no meaningful warning or consent flow. This creates a direct path to exfiltration of secrets, identity data, and potentially infrastructure access material to a remote service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The restore path extracts archive contents directly into the live ~/.openclaw directory without confirmation, dry-run preview, overwrite checks, or integrity validation. A mistaken or malicious backup file could overwrite active configuration and state, causing denial of service, persistence of unsafe files, or restoration of attacker-controlled content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal