alfred-github-backup

Security checks across malware telemetry and agentic risk

Overview

This is a real GitHub backup skill, but it handles GitHub tokens and sensitive workspace files too broadly for a normal install without careful review.

Review before installing. Use a fine-grained, revocable GitHub token limited to one private backup repository, avoid pasting tokens into chat, inspect exactly what will be committed before pushing, exclude or encrypt memory and identity files if they contain private data, and confirm how to disable the scheduled backup and restore safely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill promises a safe GitHub backup workflow but the documented behavior is incomplete and omits critical security-relevant details, including direct token placement in a Git remote URL. This mismatch can cause users to trust a workflow that is not actually implemented safely, increasing the chance of credential exposure, accidental destructive actions, or backing up more data than expected.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill claims sensitive information and API keys are not backed up, but the backup set includes files such as USER.md, SOUL.md, TOOLS.md, AGENTS.md, memory/, and skills/ that commonly contain secrets, prompts, identity data, and operational configuration. This creates a strong risk of exfiltrating confidential local data to GitHub under false assurances.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: A skill presented as a backup utility also performs restore operations that overwrite the local workspace, which materially changes the risk profile from archival to destructive modification. Users invoking a backup-related skill may not expect overwrite behavior and could lose local state or reintroduce unsafe content from the repository.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are broad enough to match normal conversation, making accidental activation more likely. In a skill that handles backups, credentials, cron setup, and restore behavior, unintended invocation can lead to unwanted prompts, data transmission, or destructive file operations.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs the user to paste a GitHub token directly into chat without any warning about credential sensitivity, storage, logging, or safer alternatives. Chat channels and agent logs are often retained, so this materially increases the risk of credential leakage and subsequent repository compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The backup flow pushes workspace data to GitHub without clearly warning the user what specific files and directories will be uploaded or that they may contain sensitive information. Given the nature of the listed paths, users may unknowingly publish private agent, memory, and configuration data to a remote service.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The restore instructions copy repository contents over the workspace without warning about overwriting local files or losing uncommitted changes. This can destroy local data, reintroduce stale or malicious files, and make recovery difficult if run by an unsuspecting user.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script embeds the GitHub token directly into the remote URL, which can expose the credential through process arguments, shell history, git configuration, logs, or later inspection via `git remote -v`. In this skill's backup context, the token is long-lived and grants repository access, so disclosure could let an attacker read, overwrite, or destroy backups and potentially pivot if the token has broader scopes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script stages and pushes a broad set of workspace files and directories to GitHub without any confirmation, preview, or warning that potentially sensitive local data will be transmitted off-host. Because this skill is specifically designed to back up an OpenClaw workspace, those files may contain agent instructions, memory, identity data, or secrets, making accidental exfiltration to a remote repository materially risky even if the repo is intended to be private.

Ssd 3

High

Confidence: 99% confidence
Finding: Requesting that the user paste a GitHub token into the conversation exposes a live credential to the agent runtime, chat history, and any associated logs or telemetry. A leaked token with repo scope can allow unauthorized repository access, code tampering, or private data disclosure.

Ssd 3

High

Confidence: 97% confidence
Finding: The documented backup commands commit and push files that are highly likely to contain sensitive user, agent, memory, and configuration data. In this skill context, that means the core purpose of the skill can directly exfiltrate private operational information unless carefully constrained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal