Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
openclaw2backup
v1.0.1一键备份和恢复 OpenClaw 工作空间、Skills 及配置,支持快速和完整备份、选择性恢复及备份管理。
⭐ 0· 136·0 current·0 all-time
byCriss_Su@sucriss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: this skill is for backing up and restoring OpenClaw workspaces, Skills, and config. However, the SKILL.md references several PowerShell scripts (quick_backup.ps1, full_backup.ps1, restore_backup.ps1, list_backups.ps1) that are not present in the package, and the README/meta reference a repository and publishing workflow that don't match the package source metadata. These gaps make it unclear whether the skill actually provides the code needed to perform the described operations.
Instruction Scope
Instructions tell the agent or user to run/authorize PowerShell scripts, set ExecutionPolicy to Bypass, restart the OpenClaw Gateway, and back up sensitive items including a 'FluxA Wallet' config. The skill does not include the referenced script files to inspect, and it gives broad operational steps (scheduling, restoring, automatic cleanup). Backing up wallet data is sensitive; instructions show how to bypass execution restrictions, which is a common operational step but increases risk if the underlying scripts are unknown.
Install Mechanism
There is no install spec and no code files to install — this is an instruction-only skill. That reduces risk from arbitrary remote installs, but it also means the runtime behavior depends on external scripts that are not bundled here.
Credentials
The skill declares no required environment variables or credentials, which aligns with a local backup utility. However, it mentions backing up a 'FluxA Wallet' (potentially sensitive data) without describing how credentials or private keys are handled. The lack of declared credential requirements means the skill won't explicitly request secrets, but users should be aware backups may include private data and should be stored securely.
Persistence & Privilege
The skill does not request always:true or persistent privileges. It is user-invocable and allows autonomous model invocation by default (the platform default) but does not request system-wide configuration changes or privileges beyond advising standard backup/restore operations.
What to consider before installing
Proceed carefully. Before installing or running anything: 1) Ask the publisher for the actual script files (quick_backup.ps1, full_backup.ps1, restore_backup.ps1, list_backups.ps1) or a trusted repository URL and verify their contents and checksums. 2) Inspect any scripts for dangerous operations (remote uploads, credential exfiltration, deleting unrelated files) before running. 3) Be cautious about backing up wallet files (FluxA Wallet) — ensure private keys are handled securely and stored encrypted/offline. 4) Note the platform mismatch: the skill claims cross-platform support but depends on Windows-specific PowerShell/.NET framework versions; if you use Linux/macOS, confirm compatibility (PowerShell Core/pwsh). 5) Avoid globally lowering execution policies unless you trust the exact script source; consider running scripts in a controlled/test environment first and keep a manual copy of current configs before restoring. If the maintainer can provide a source repo or the scripts for review, that would materially improve confidence.Like a lobster shell, security has layers — review code before you run it.
backupvk970b44k3snpx74hh0d1xaza7s832j3nlatestvk970b44k3snpx74hh0d1xaza7s832j3nopenclawvk970b44k3snpx74hh0d1xaza7s832j3nrestorevk970b44k3snpx74hh0d1xaza7s832j3nutilityvk970b44k3snpx74hh0d1xaza7s832j3n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.