ClawHub

OpenClaw Daily Backup

Security checks across malware telemetry and agentic risk

Overview

The skill performs backup and restore work, but it ships personal backup contents that could overwrite a user's agent identity and configuration with unrelated high-privilege behavior.

Install only after reviewing and removing the bundled backups, especially AGENTS.md, SOUL.md, BOOTSTRAP.md, TOOLS.md, USER.md, and openclaw.sanitized.json. Do not run restore until you have created your own backup and confirmed the source backup is yours; treat restored OpenClaw configuration as high-impact because it can change agent identity, messaging integrations, execution permissions, and persistent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (51)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The report documents substantial capability and scope creep beyond the declared backup/restore purpose, including release packaging, publication workflow, and installer strategy research. In an agent skill context, unnecessary adjacent capabilities increase attack surface and can normalize performing actions the user did not request, creating opportunities for unintended code distribution or operational changes.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
These sections add software distribution and promotional/release activities that are not justified by a backup/recovery skill. In a tool-using agent ecosystem, that mismatch can cause over-privileged behavior or socially engineer operators into trusting the skill for repository publication and community announcement workflows unrelated to backup safety.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Installer and package-distribution research is unrelated to the stated backup/restore mission and introduces guidance about software delivery mechanisms into a safety-oriented skill. That broadening is dangerous because users may apply the skill in contexts where backup tooling should never influence installation or remote execution decisions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The checklist repeatedly identifies the artifact as 'SOUL Backup Skill' instead of the manifested 'openclaw-daily-backup' skill, creating a supply-chain identity mismatch. This can cause publishers or users to push, tag, or trust the wrong repository/package, leading to accidental distribution of the wrong code or installation of an unintended skill.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The publish and install steps explicitly reference 'soul-backup' rather than 'openclaw-daily-backup', which could direct operators to publish under, install, or test against a different package name. In a backup/recovery skill, such confusion is more dangerous because users may trust the wrong tool during restore operations affecting core workspace identity/config files.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file defines a broad autonomous workspace persona and operating model far beyond the stated purpose of a daily backup/restore skill. In the context of a backup skill, such generalized instructions can expand the agent’s authority to unrelated files, memory stores, external resources, and behavioral routines, increasing the chance of unauthorized access or unintended actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions authorize emails, tweets, public posts, calendar checks, and web activity that are unrelated to backup/restore. Even though some actions say 'ask first,' embedding external-communication capability inside a backup skill normalizes unnecessary networked behavior and widens the blast radius if the skill is invoked in the wrong context or combined with other prompts.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Group chat participation and reaction rules are unrelated to backup and recovery operations. Including them in this skill creates scope confusion and could cause the agent to engage in communications or expose contextual knowledge during an invocation that should remain limited to file protection tasks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The heartbeat section authorizes periodic autonomous checks of email, calendar, mentions, weather, project status, memory files, and even commits/pushes changes, none of which are justified by a backup skill. This materially increases the chance of unintended surveillance, privilege expansion, data exposure, and autonomous actions triggered by broad polling behavior.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This bootstrap file is materially inconsistent with the declared purpose of a daily backup/recovery skill. Instead of backup or restore workflows, it instructs the agent to establish identity, collect user profile data, and optionally connect external messaging accounts, creating a strong scope mismatch that could mislead users and expand the skill's privileges beyond what is necessary.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Prompting users to link WhatsApp or Telegram accounts is unjustified in a backup/recovery skill and can facilitate unnecessary collection of external account access or identifiers. In this context, the mismatch makes the behavior more dangerous because users invoking a backup tool would not reasonably expect messaging integration or the associated privacy and security risks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file defines a general-purpose persistent assistant identity, loyalty model, operating system, memory rules, and broad execution behavior rather than a narrowly scoped backup/restore skill. In a backup skill context, this is dangerous because it can override task boundaries, normalize access to unrelated files, and steer the agent toward ongoing autonomous behavior beyond the user's backup request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instructions mandate reading and updating unrelated files such as todo.md, progress-log.md, tasks/lessons.md, and other session-persistence artifacts, while also prescribing broad execution loops for any meaningful task. That creates unjustified authority and durable state changes outside backup operations, increasing the chance of unauthorized file access, prompt-scope expansion, and persistent manipulation of the workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Directives to report conclusions to a specific person and to handle private financial, decision, and schedule information are unrelated to backup or restore functionality. In this context, they embed an unauthorized data-handling and exfiltration pathway, encouraging the agent to privilege a named third party over the actual task boundary or requester intent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file is not a narrowly scoped backup definition; it is effectively a broad runtime configuration containing agent settings, execution policy, channel integrations, provider endpoints, and multiple secret-bearing fields. In a backup skill context, bundling live operational configuration greatly expands the attack surface because restore/import of this file could re-enable unsafe capabilities, overwrite trusted settings, or leak privileged integration details.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The backup skill contains configuration for external model providers, Telegram, Discord, gateway access, and agent dispatch that are unrelated to simple backup/restore of workspace identity files. In this context, restoring or consuming this file could activate outbound communications and remote-control surfaces, turning a recovery artifact into a vehicle for persistence, exfiltration, or unintended service exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This backup skill file contains a full agent persona and operating policy that far exceeds daily backup, restore, and recovery. Embedding broad behavioral instructions in a backup-scoped skill can override user expectations, expand authority, and cause the agent to access unrelated files or perform unrelated actions when the skill is invoked.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file authorizes capabilities unrelated to backup, including web searches, calendar/email/social checks, group-chat participation, and project work. In a backup skill context, this scope creep materially increases the chance of unintended external access, data exposure, and autonomous actions unrelated to the user’s request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs reading and updating long-term memory and other workspace files beyond what is needed for backup operations. Even if framed as continuity or convenience, this broadens access to potentially sensitive data and allows modifications outside the backup task’s intended boundary.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file presents a safety rule that outbound actions should require approval, but later instructs autonomous external checks and even pushing changes. This contradiction weakens operator safeguards because the more permissive instructions can be used to justify network activity despite the earlier warning.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file's instructions are fundamentally unrelated to the declared backup/restore purpose of the skill and instead drive identity bootstrapping, persona shaping, user profiling, and channel onboarding. In a backup skill context, this scope mismatch is dangerous because it can trick the agent into collecting personal data and altering workspace state under the guise of a routine maintenance workflow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The WhatsApp and Telegram setup steps introduce unnecessary external connectivity for a skill whose stated purpose is daily backup and recovery. This expands the attack surface and may lead to unintended account linking, data exposure, or off-platform persistence without a legitimate operational need in this context.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This backup file contains live operational settings for channels, gateway access, and plugins that go beyond the stated purpose of routine backup/restore of core workspace identity/config files. Restoring it would not just recover identity state; it would reinstate externally reachable behavior and communications surfaces, which materially expands risk if applied in the wrong environment.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file would restore Telegram and Discord connectivity, including tokens, access policy, and session/thread behavior, which can re-enable outbound and inbound communications. In the context of a daily backup skill, that is more dangerous because users may reasonably expect passive recovery of state, not reactivation of external integrations that expose the agent to untrusted networks and commands.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The backup includes agent defaults, permissive subagent settings, and a full tool profile, all of which affect execution authority rather than simple identity/config recovery. Restoring these settings can silently broaden what the agent may do after recovery, increasing the blast radius of misuse or misconfiguration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal