OpenClaw Backup & Restore

Security checks across malware telemetry and agentic risk

Overview

The skill is a real backup/restore utility, but it has enough under-disclosed risk around sensitive config backups, remote Git pushes, and inconsistent paths that users should review it carefully before installing.

Install only after reviewing the scripts and setting a private, intended backup remote. Avoid backup-and-push unless you understand that it defaults to raw OpenClaw config backup; prefer sanitized mode, verify the destination repository is private, and run restore with --dry-run first. Be cautious with the stale hard-coded paths and manual copy examples because they can overwrite live workspace files or operate on the wrong directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (17)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The runbook is materially mismatched to the declared OpenClaw backup/restore skill and instead targets a different 'SOUL Backup Skill' workspace and hard-coded paths. In a recovery/restore context, this can cause operators or agents to back up, restore, or validate the wrong files, leading to unintended overwrite, data loss, or exposure of unrelated workspace contents.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The metadata slug does not match the declared skill identity, which creates a supply-chain and deployment integrity risk: reviewers, packaging systems, or users may believe they are installing or invoking one skill while the artifact identifies itself as another. In a backup/restore skill, identity confusion is more dangerous because it can misroute sensitive operations, overwrite trusted skill updates, or hide a substituted package behind a familiar name.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start section presents `node scripts/restore.mjs` as a simple default action without an adjacent warning that it overwrites workspace state. In a backup/restore skill, this is dangerous because users often copy-paste quick-start commands verbatim, which can trigger unintended destructive changes to active files and agent configuration.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The restore example shows an overwrite-style restore operation without an explicit warning that current workspace files may be replaced. In a backup/restore skill this behavior is expected, but documenting destructive commands without emphasizing pre-checks or dry-run usage increases the chance of accidental data loss by users.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The emergency recovery example uses `cp -r .../* .`, which can overwrite files in the current directory with no confirmation or preview. Because this is a manual recovery path used when normal safeguards are unavailable, a user could easily destroy newer or unrelated workspace state by running it from the wrong directory or against the wrong backup.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The feature description prominently encourages one-click backup and restore of agent state files, but it does not clearly warn in the main UX flow that backups are stored locally and unencrypted by default. Because these files may contain API keys, prompts, identities, or other sensitive configuration, users may create backups under a false assumption of safety and leave recoverable secrets on disk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document instructs users to run restore operations that can overwrite workspace files, but the workflow steps do not place an explicit destructive-action warning at the moment the restore command is presented. In a backup/restore skill, this increases the chance of accidental data loss because users may execute the command directly without appreciating that current state will be replaced.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The emergency recovery example uses a recursive copy command to place backup contents into the workspace, which can overwrite existing files, but it does not explicitly warn about that effect. Manual recovery commands are especially risky because they bypass script safeguards like pre-restore backup, validation, and confirmation, making accidental destructive restore more likely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The restore instructions encourage use of the restore command but do not clearly warn that a non-dry-run restore can overwrite existing workspace files. In a backup/restore skill, that omission is security-relevant because it can lead to destructive state rollback, loss of newer data, or restoration of unintended content if a user runs the command without understanding its effect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README promotes backup and automated Git push of highly sensitive agent state files, including personality, instructions, user profile data, and optionally the real OpenClaw config, without a prominent upfront warning about secrecy, repository privacy, and credential exposure. In this context, users may reasonably follow the quick-start flow and sync sensitive data to a remote repository, causing confidentiality loss off-machine and potentially exposing tokens or operational instructions if the repo is public or misconfigured.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The restore examples document commands that overwrite current workspace files, but do not clearly warn that restore is destructive to the current state. Even though rollback is mentioned elsewhere, users reading the restore section may execute a restore and unintentionally replace newer or valid configuration and memory files, causing integrity loss or service disruption.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The restore instructions include commands that perform real file overwrites, but the warning to use preview or dry-run first is not consistently colocated with those commands. In a state-management skill, incomplete safety disclosure increases the chance that a user or downstream agent will execute destructive restores directly against live workspace data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The validation checklist instructs testers to perform an actual restore without a nearby warning that the action modifies workspace state. This is dangerous because checklist-style instructions are often followed mechanically, increasing the risk of accidental overwrite or rollback of valid current data during testing.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill description is very broad and can trigger on generic backup, restore, rollback, validation, or recovery requests, including ones outside OpenClaw workspace state management. Over-broad routing increases the chance that an automation agent invokes this skill in the wrong context and applies backup or restore actions to sensitive files or repositories unintentionally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section instructs users to create backups and push them to Git remotes even though the backups may contain sensitive configuration and optional real openclaw.json contents. Without a prominent warning at the point of use, an agent or user could exfiltrate secrets, user data, or configuration to an unintended or public remote.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The restore guidance presents restore operations as routine usage without a strong warning that they can destructively replace current workspace files. In an agent-driven setting, this can lead to accidental data loss, rollback of valid changes, or overwriting of current state without sufficient operator awareness.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script automatically commits and pushes backup contents to a configured remote repository without any explicit confirmation, dry-run warning, or guardrail at the point of data transmission. Because the backup may include raw OpenClaw configuration by default (`rawOpenClawConfig: true`), this can exfiltrate sensitive state or secrets to a remote destination if the remote is misconfigured, unexpected, or shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal