Security audit

Openclaw Auto Backup

Security checks across malware telemetry and agentic risk

Overview

This is a local OpenClaw backup tool with no evident network exfiltration, but it understates its ability to write, overwrite, delete, persist, and copy sensitive local agent state.

Review this before installing if your OpenClaw workspace contains secrets or sensitive profile/memory data. Use tight permissions on ~/.openclaw/backups, consider external encryption, verify the configured watchFiles, and be careful with restore, cleanup, and any cron entry because they can change or remove local state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The README understates the required privileges by claiming the skill only needs read access to ~/.openclaw/, while the documented restore and cleanup actions necessarily write, overwrite, and delete files. This can mislead users and reviewers about the operational risk, causing them to approve or run the skill without understanding that it can modify local state.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The documentation claims only read permission is needed, but the skill clearly writes archives and can restore files, which modifies the filesystem. Understating write/restore capabilities can mislead users and reviewers about the operational risk, especially for a tool that overwrites configuration data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README documents restore and cleanup commands but does not clearly warn that restore can overwrite current configuration and cleanup can permanently delete backup data. In a backup skill, these are expected capabilities, but failing to disclose destructive effects increases the chance of accidental data loss and unsafe use.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The restore flow copies files from a backup into the workspace without an explicit confirmation step, allowing a single command invocation to overwrite active configuration. In a backup/restore skill this behavior is expected, but it still creates integrity risk: a mistaken version selection, automation error, or attacker-influenced backup selection could replace live config and disrupt service or reintroduce unsafe settings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal