Yaoyao Cloud Backup V2

Security checks across malware telemetry and agentic risk

Overview

This backup skill is not clearly malicious, but it should be reviewed because it handles credentials and OpenClaw memory data more broadly than its safety wording suggests.

Install only after reviewing the data paths and provider configuration. Use dedicated least-privilege cloud credentials, never root cloud keys, and avoid pasting secrets into chat. Run dry-run/status commands first, verify exactly what memory/export files will be uploaded, and restore only backups you trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (48)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises and documents capabilities that imply environment access, filesystem reads/writes, network operations, and shell execution, yet no explicit permissions are declared. This weakens the trust boundary for users and reviewers because the effective capability set is broader than the declared security posture.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented purpose is limited to cloud backup sync, but the observed behavior includes memory export/import, local backup lifecycle management, installation and database discovery, persona/vector DB inspection, Tencent IMA sync, and release publishing. This scope expansion materially changes the risk profile because the skill can access and manipulate substantially more local and remote data than users would reasonably infer from the description.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The skill claims it does not collect sensitive information, yet earlier sections instruct users to provide passwords, access keys, and server login details directly to the assistant. This contradiction can mislead users into disclosing secrets under a false sense of safety.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The auto-detection routine reads unrelated sensitive local sources such as ~/.ssh/config, ~/.ssh/known_hosts, and a secrets.env file to infer backup targets. Even if it does not exfiltrate secrets directly, indiscriminate inspection of credential- and infrastructure-related files exceeds what users would reasonably expect from a backup setup assistant and exposes sensitive hostnames, service relationships, and credential presence.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The SFTP client sets Paramiko's host key policy to AutoAddPolicy, which blindly trusts unknown server keys. This disables host authenticity verification and enables man-in-the-middle attacks, allowing an attacker on the network to intercept credentials and tamper with backup contents.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The module goes beyond passive discovery of local cloud clients and actively inspects a credential file and sensitive environment variables to infer configured services. Even though it only checks for key names and does not print secret values, reading sensitive sources without explicit user consent expands data access unnecessarily and creates privacy and trust risks.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The module can write internal memory records to any user-supplied local path in several export formats, which creates a data exposure primitive beyond the stated cloud-backup purpose. In a backup-oriented skill, undisclosed local bulk export of memory contents is risky because sensitive records can be copied into insecure locations, shared folders, or paths later synchronized elsewhere.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The migration script appears to belong to a different product/domain ('龙虾记忆系统', 'yaoyao-memory', 'today-task') than the advertised cloud-backup skill. In a security review, this mismatch is a supply-chain integrity issue because users may install a backup-related skill that also reads and migrates unrelated credentials, increasing the chance of unintended secret access or hidden functionality.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: Inline docs and CLI text naming different products than the surrounding skill indicate code reuse or repackaging without proper isolation. That inconsistency is dangerous because it can conceal unexpected behavior, mislead users about what secrets are being handled, and weaken trust in the package's provenance.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The module scans the user's home directory and discovers OpenClaw memory, vector DB, and persona paths that may belong to unrelated agents or user data, which exceeds the declared backup-sync scope. In a backup-oriented skill, broad automatic discovery of sensitive memory/persona locations increases the chance of unauthorized collection, backup, or later exfiltration of private data.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: find_openclaw_home() creates ~/.openclaw as a side effect when discovery fails, which turns a read-like lookup into a filesystem-modifying operation. Silent creation of application directories can mislead users, interfere with host state, and prepare locations later used for data placement without informed approval.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script's default mode is '--type all', which uploads full daily memory files and the entire MEMORY.md, despite describing itself as syncing only 'important memory'. This creates a real overcollection/privacy risk because sensitive notes, personal data, credentials, or internal context stored in those files may be sent to a third-party cloud service without minimization.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module documentation materially understates what the code does: the default execution path uploads the full contents of memory files rather than only important subsets. That mismatch is dangerous because users and calling agents may make trust decisions based on the narrower description and unintentionally disclose more data than expected.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger language is broad enough that normal conversation about cloud backup may activate the skill unintentionally. Because the skill handles backups, credential setup, and sync actions, accidental activation can lead to unwanted prompting for secrets or unintended operations.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The example trigger phrases are generic and lack boundary conditions, so the skill may activate from ordinary discussion rather than deliberate invocation. In a backup skill with credential handling and remote sync, this raises the chance of unintended disclosure prompts or filesystem/network actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The documentation tells users to provide cloud storage passwords and access keys directly for configuration without a clear risk warning or secure collection method. Asking for secrets in conversation creates a direct credential-exposure path and can compromise remote storage accounts if logs, transcripts, or intermediaries are accessed.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs users to disclose NAS and server login information during setup, again without adequate warning about exposure and misuse. These credentials can provide broad access to internal storage or remote systems, making compromise more serious than a single application password.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs sensitive discovery of environment-based API credentials and a secrets.env file while only presenting a generic 'detecting cloud services' message. Users are not clearly told that credential-bearing sources will be inspected, undermining informed consent and creating privacy and trust risks in a setup flow that claims to be beginner-friendly and automatic.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code recursively reads Nextcloud configuration files and extracts service URLs without explicit disclosure to the user. Service endpoints can reveal internal infrastructure, account associations, or self-hosted instance details that are sensitive in many environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Restore copies extracted files into the target directory with fixed names and no overwrite prompt, so existing notes can be silently replaced. In a backup tool operating on a user's memory/workspace directory, this can cause integrity loss and accidental destruction of current data, especially if a stale or maliciously modified backup is restored.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The import routine writes attacker-controlled filenames and content directly into the memory directory and can overwrite existing files in replace mode or append content in merge mode without any confirmation, validation, or rollback. In this skill context, the module handles persistent user memory, so importing an untrusted JSON backup can silently corrupt, poison, or destroy stored memory data and may also allow path traversal via crafted filenames.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code silently reads a local secrets file under the user's home directory to determine which services are configured. Accessing credential storage without prior notice or consent is risky because it normalizes secret-file inspection and could be extended or abused to collect sensitive information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The module checks for the presence of cloud credential environment variables without any user-facing disclosure. Environment variables often contain high-value secrets, so probing them silently is an unnecessary access to sensitive process context and exceeds what many users would expect from simple backup-service discovery.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: save_export() writes potentially sensitive memory content directly to an arbitrary filepath without any classification check, consent prompt, or warning. This is dangerous because memory databases often contain personal, confidential, or operationally sensitive information, and arbitrary-path export makes accidental leakage or unsafe persistence much easier.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code creates directories under the user's home directory without explicit warning or confirmation, violating least surprise and safe filesystem practices. Even if not directly exploitable for code execution, this can alter user state unexpectedly and facilitate later storage of sensitive data in locations the user did not approve.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal