ClawHub
Back to skill

Security audit

OpenClaw GitHub Backup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OpenClaw-to-GitHub backup skill, but it uses broad sensitive-data backup plus destructive Git operations that users should review before installing.

Install only after reviewing and editing the scripts. Use a new empty private repository, remove force-push behavior, remove recursive .git deletion, avoid global Git config changes, and verify exactly what files will be uploaded, especially memory, credentials, sessions, and workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation instructs users to run shell commands that read and write files under ~/.openclaw and execute installation scripts, yet it declares no permissions. This is a real transparency and trust-boundary issue because users and hosting systems cannot accurately assess the skill's capabilities before installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose frames the skill as backing up configuration, but the described and reported behavior extends to most of ~/.openclaw, including agent history, workspaces, memory, credentials, and other sensitive state. That mismatch is dangerous because it can cause users to authorize broad exfiltration and destructive Git operations without realizing the true scope, especially given global Git config changes, SSH/known_hosts modification, deletion of nested .git directories, and possible force-push behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script stages all changes with 'git add -A' from the entire ~/.openclaw repository, despite comments claiming only a limited subset is backed up. This can exfiltrate unintended sensitive data such as logs, memory, tokens, prompts, or other private workspace content to GitHub, expanding exposure beyond user expectations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comment documents a narrow backup scope, but the implementation actually stages the full repository. This mismatch is security-relevant because users may consent based on misleading documentation and unknowingly publish far more data than intended.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer runs `git config --global user.name` and `git config --global user.email`, which changes the user's global Git identity for all repositories, not just this backup repo. That exceeds the minimum permissions needed for a backup skill and can silently affect unrelated developer workflows, commits, and audit trails.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script uses `git push -u origin main --force`, which can overwrite remote history and destroy existing contents of the configured repository. Because the installer only asks for a repo URL and does not prominently warn about history replacement, a user can accidentally target the wrong repository and lose data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The backup operation pushes local OpenClaw data to a remote GitHub repository without a strong, explicit user-facing warning at execution time. In this skill context, the repository may contain conversation history, memory, extensions, or other sensitive configuration, so silent remote transmission materially increases privacy and data-leak risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
On push failure, the script automatically retries with '--force', which can overwrite remote history and destroy backups without meaningful user confirmation. In a backup tool, destructive remote history rewrites are especially dangerous because they can erase prior recovery points and hide accidental or malicious changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`find . -name ".git" -type d -exec rm -rf {} +` recursively deletes all nested `.git` directories under `~/.openclaw` without warning or confirmation. This is destructive and can permanently erase repository metadata for embedded projects, submodules, or intentionally versioned content inside the backup tree.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script force-pushes local data to the configured GitHub repository without a clear, specific warning that remote history will be overwritten. In a backup context this is especially risky because users may reasonably assume the operation is additive and safe, not destructive to existing backups or unrelated repository contents.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
ssh -T git@github.com

# Force push (use with caution)
cd ~/.openclaw && git push origin main --force
```

### Configuration Lost After Restore
Confidence
92% confidence
Finding
git push origin main --force

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal