SOUL Backup Skill
v1.2.1Backup and restore OpenClaw workspace SOUL files with versioning, validation, and sanitized openclaw.json handling.
⭐ 0· 251·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and SKILL.md all describe a local backup/restore tool for SOUL files and that matches the included scripts and docs. However the registry metadata claims 'Required binaries: none' while all runtime examples and the included .mjs scripts require Node (node command). That is an inconsistency: Node.js is a legitimate required runtime for this skill and should be declared.
Instruction Scope
The SKILL.md instructions stay within the stated purpose: create/back up SOUL files, list/validate/restore them, sanitize openclaw.json, and use cron/hooks for automation. The instructions explicitly operate on workspace files and manifest.json and do not instruct the agent to read unrelated system data or to ship data to external endpoints. They do reference cloning or using a repository URL and manual cp for emergency recovery (expected for a backup tool).
Install Mechanism
There is no install spec (instruction-only at registry level), which reduces install-time risk. However, the package contains multiple executable scripts (.mjs) and a package.json; installing means cloning/placing these files in a workspace and running them with node — nothing is automatically installed by the skill. This is consistent but should be explicitly documented as requiring Node.js on PATH (the metadata omitted that).
Credentials
The skill does not request any environment variables or external credentials and the documented behavior (sanitizing openclaw.json and redacting token/key/password fields) is consistent with that. There is no indication the scripts attempt to access unrelated credentials or other services. The sanitize behavior should still be reviewed in the code to ensure it does not accidentally log or transmit redacted values.
Persistence & Privilege
The skill does not request always:true and is not requesting elevated or persistent platform privileges. It operates on files in the workspace and creates local backups; its described pre-restore backups and retention/prune plans are scoped to its own backup directory. It does not claim to modify other skills or system-wide agent settings.
What to consider before installing
This skill mostly matches its description (local backup/restore of SOUL files), but before installing or running it: 1) Ensure Node.js is installed and available as `node` (the registry metadata omitted this requirement). 2) Inspect the scripts (scripts/*.mjs) yourself to verify there are no unexpected network calls or logging of secrets — the SKILL.md says openclaw.json is sanitized, but you should confirm the sanitize routine only redacts and does not transmit or persist sensitive values in logs. 3) Run the scripts from a test workspace first (or with dry-run flags) to confirm behavior and that paths conform to your environment. 4) Do not run as root and avoid committing backups to public repositories — keep backups stored off-machine if you need protection against machine loss. 5) Because the package contains executable scripts but no install step, you are responsible for placing them in the correct workspace path; verify .gitignore excludes backups/ and consider encrypting/moving sensitive backups to an off-machine location. If you want higher assurance, ask the publisher for an explicit statement of Node versions supported, and request a short audit of the sanitize/restore code paths to confirm no exfiltration or unexpected network activity.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6ewcfm1rqawxgah91kprdn82a0a8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.