Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
OpenClaw Backup & Restore
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This backup tool is mostly purpose-aligned, but users should review it carefully because its GitHub backup flow can push sensitive OpenClaw state and possibly raw config files off-machine.
Before installing, decide whether you trust this skill to read and restore core OpenClaw state files. Use dry-run before restores, keep backups private, prefer sanitized config for remote sync, avoid pushing raw openclaw.json, and only enable scheduled backups if you can monitor where they write and push data.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Private agent state, user preferences, tool configuration, or credentials could be committed and pushed to a remote repository if the user runs the GitHub backup flow without sanitizing and protecting the repo.
Why it was flagged
The remote backup workflow pushes the backup directory to git, and the wording implies that the default GitHub backup may include the real config unless the sanitized-only option is chosen.
Skill content
node scripts/backup-and-push.mjs --remote origin ... # Push sanitized-config-only backup instead of the real config
Recommendation
Use a private/encrypted backup destination, prefer sanitized config for any remote backup, avoid committing raw openclaw.json, and inspect generated backups before pushing.
What this means
Running the GitHub backup script can change local git state and push commits to the configured remote.
Why it was flagged
The static scan shows shell command execution. The SKILL.md discloses that this script runs git add, git commit, and git push, so it is purpose-aligned but still high-impact.
Skill content
const result = spawnSync(command, commandArgs, {Recommendation
Confirm the remote, branch, and files staged before using backup-and-push, especially in shared or public repositories.
What this means
The script can publish backup commits wherever the user's git credentials have write access.
Why it was flagged
The git push operation will use the user's configured git/GitHub credentials or SSH keys, giving the script delegated authority over that repository.
Skill content
git push <remote> <branch>
Recommendation
Use a dedicated private backup repository or remote with least-privilege access, and verify git credentials before running remote sync.
What this means
Backups or pushes may continue to run automatically on a schedule and could repeatedly copy or publish updated agent state.
Why it was flagged
The skill documents persistent scheduled execution. This is normal for backups, but it means the behavior can continue after initial setup.
Skill content
For unattended runs, use the included GitHub Actions workflow ... or call the same script from cron / launchd.
Recommendation
Only enable cron, launchd, heartbeat, or GitHub Actions schedules deliberately, document them, and review them periodically.
What this means
Users may not realize the skill depends on Node.js and git until they run the documented commands.
Why it was flagged
The registry metadata does not declare required binaries, while the instructions rely on node scripts and git operations. This is an under-declared dependency/provenance issue, not direct evidence of malicious behavior.
Skill content
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Recommendation
Declare Node.js and git requirements in metadata and keep any referenced automation files included in the published package.