Back to skill

Security audit

Simple Backup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent backup skill that handles sensitive OpenClaw data for its stated purpose, with operational risks users should understand before enabling cloud sync.

Install this only if you want broad backups of your OpenClaw workspace, state, and skills. Use a strong dedicated backup password, prefer a permissions-restricted key file over putting the password in shared config, review what is inside your state and skills directories, and only set remoteDest/REMOTE_DEST for a cloud location you trust. Be aware that retention pruning deletes older backup archives and rclone sync can mirror deletions to the configured remote.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script archives the entire skills directory in addition to workspace and state, which broadens collection beyond the core agent data described in the skill metadata. Skills can contain embedded secrets, API keys, proprietary code, or other agents' content, so this creates an avoidable over-collection and exfiltration surface, especially when cloud sync is enabled.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The script accepts the backup encryption password from the main config file, which risks storing a long-term secret in plaintext in a broadly readable and routinely backed-up location. That weakens the protection of the encrypted archive because compromise of the config or state directory can also disclose the key needed to decrypt backups.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill handles highly sensitive data from the workspace and state directories and can sync that data to a cloud remote, but the description does not prominently warn users about the sensitivity or remote exfiltration risk. In agent environments, state/config directories may contain credentials, tokens, prompts, and other secrets, so insufficient disclosure can lead to accidental exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently sources encryption credentials from environment variables, config, or a local key file without clearly notifying the user about the sensitivity and persistence implications of those sources. This can lead operators to place secrets in insecure locations or accidentally back them up, increasing the chance of credential exposure through normal system administration or backup handling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script can transmit full encrypted backups to an rclone remote without a strong user-facing warning or confirmation at execution time. Even though the archive is encrypted, this still sends sensitive agent data off-host and may disclose metadata, retention behavior, or expose backups if the remote is misconfigured or the passphrase is weak/compromised.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"SKILL.md"
  ],
  "dependencies": {
      "rclone": "*",
      "gpg": "*"
  }
}
Confidence
96% confidence
Finding
"rclone": "*"

Unpinned Dependencies

Low
Category
Supply Chain
Content
],
  "dependencies": {
      "rclone": "*",
      "gpg": "*"
  }
}
Confidence
96% confidence
Finding
"gpg": "*"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.