SOUL Backup Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local backup and restore skill, but users should treat restores and backup storage carefully because they can replace agent files and preserve sensitive workspace data.

Install only if you want a local backup/restore tool for OpenClaw SOUL files. Run --dry-run before restore, make a fresh backup before replacing files, and keep the backups private because USER.md, TOOLS.md, and other SOUL files may contain sensitive information. Enable cron or hook examples only if you are comfortable with recurring local writes, logs, and backup pruning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The checklist states that actual restore, single-file restore, and rollback testing are still pending, yet the release notes present single-file restore and automatic rollback as shipped capabilities. This can mislead users into relying on safety-critical recovery features that may not work correctly, increasing the chance of data loss during restore operations.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The community announcement advertises automatic rollback as an available safety feature even though rollback testing is marked pending elsewhere in the checklist. Users may perform destructive restore actions with a false expectation that rollback protection is reliable, which can worsen recovery outcomes if restore fails.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The Reddit/Hacker News copy promotes automatic rollback and pre-restore safety backups as established features while the checklist shows rollback testing is still pending. Publicly overstating recovery protections can cause users to trust the tool for high-risk restore workflows before those controls are validated.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The quick-start documentation shows `node scripts/restore.mjs` as a simple default action without an adjacent warning that restore operations can overwrite existing workspace files. In a backup/restore skill, users often copy commands verbatim, so minimizing overwrite risk in the most prominent usage path is important even if safer guidance appears elsewhere in the document.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The restore examples show commands that replace files in the workspace but do not warn users that current changes may be overwritten. In a backup/restore skill this behavior is expected, but omitting an explicit warning increases the chance of accidental data loss during routine use.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The emergency recovery example uses `cp -r .../* .`, which can silently overwrite files in the current workspace with backup contents and provides no warning or safety check. Because this bypasses the scripted validation and confirmation flow, it has a higher chance of destructive operator error and unintended restoration of stale or unsafe files.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The report explicitly recommends 'curl | bash' as a primary distribution method without any safety qualification. Piping a remotely fetched script directly into a shell removes the user's chance to inspect what will run and can lead to arbitrary code execution if the source, transport, or hosting account is compromised.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The report provides manual and scripted restore procedures that overwrite workspace files, but this file does not prominently warn about destructive consequences or require an explicit confirmation step. In a backup/restore skill, restore operations are inherently sensitive, so under-documented overwrite behavior can lead to accidental data loss even if the underlying purpose is legitimate.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quick start documents restore operations that overwrite workspace files but does not place a clear warning immediately around the command that restoration modifies existing user data. In a backup/restore skill, users are likely to copy-paste commands directly, so omission of an explicit overwrite warning increases the chance of accidental destructive changes even if the behavior is expected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The single-file and full restore examples show destructive commands without an explicit caution that existing SOUL files may be replaced. Because this is operational documentation for recovery, the context makes the omission more dangerous: users under stress after accidental deletion or bad changes may run the commands without noticing that current data can be overwritten.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README provides restore and disaster-recovery commands that overwrite workspace files and instruct users to copy a sanitized backup directly onto ~/.openclaw/openclaw.json, but it does not prominently warn that current state will be replaced and any unsaved configuration may be lost. In an operational recovery guide, this can lead to accidental destructive actions, especially when users are following step-by-step instructions during an outage.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The release notes and quick-start show restore commands that modify SOUL files but do not prominently warn that applying a restore can overwrite the current agent configuration and state. In a backup/restore skill, omission of this warning is dangerous because users may run restore commands assuming they are non-destructive after a dry-run preview.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The runbook includes restore commands that can overwrite workspace files, but the quick-reference section does not clearly foreground the destructive nature of restore operations or require a dry-run/confirmation step before use. In a backup/restore skill this behavior is expected, but inadequate warning increases the chance of accidental data loss or rollback to the wrong state by operators following copy-paste instructions.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The automation section recommends cron jobs and hooks that continuously write backups and logs on the user's system, but it does not clearly warn about ongoing persistence, disk consumption, log file creation, or the operational impact of unattended execution. While this is standard automation guidance, users may enable it without understanding that it creates recurring local activity and artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal