Security audit

openclaw workspace backup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent git backup skill, but it gives unattended push authority over configured repositories without enough destination validation or safeguards.

Install only if you intentionally want unattended git backups for the configured repositories. Before enabling it, inspect every WORKSPACE_<id> path, run git remote -v in each repo, confirm origin points to a dedicated private backup remote, check .gitignore and local files for secrets, and avoid --force unless you are prepared to rewrite the remote branch history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no permissions even though its documented behavior clearly requires reading local configuration, accessing workspace files, writing git metadata/logs, and invoking shell/git operations. This under-declaration weakens user consent and security review because a backup skill can access and transmit repository contents without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose understates or misstates important behavior, including force-push capability, status/log inspection, use of the default origin remote rather than a GitHub-only destination, and claimed automatic scheduling/trigger behavior that is not implemented here. This mismatch is dangerous because users may authorize the skill expecting limited backup behavior while it can overwrite remote history or expose repository data to any configured remote.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The status command prints git working tree state for every configured workspace and the last 20 lines of the backup log to stdout. In an agent context, that can disclose repository names, filenames, branch identifiers, local paths, and git error text to users who only invoked a backup-related skill, expanding data exposure beyond the stated backup purpose.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Supporting --force allows the tool to overwrite remote branch history, which is materially more destructive than a normal backup operation. In a scheduled or agent-triggered workflow, misuse or accidental invocation could permanently replace expected remote history and destroy recoverability.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents automated backups and force-pushes but does not warn that workspace contents may be uploaded to a remote service or that --force can rewrite branch history. In this context, the omission is security-relevant because the skill operates on potentially sensitive local repositories and is intended to run unattended on a schedule.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.