Skillv1.0.0

ClawScan security

alfred-github-backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 7:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a GitHub backup purpose, but there are important mismatches and security risks (token handling, hidden backups of potentially sensitive files, and an unimplemented 'create repo' claim) that you should understand before installing.
Guidance: Before installing or running this skill, consider the following: - Token handling: the workflow requires a personal access token (repo scope). Do not paste long-lived tokens into UI/chat unless you trust the agent. The provided script embeds the token in the Git remote URL, which will store it in .git/config in plaintext. Prefer alternatives: use a short-lived token, a deployment key, GitHub Actions with secrets, or a credential helper rather than embedding the token in the remote URL. - Repository creation mismatch: the skill description says it will create the repository but the script does not. Either manually create the private repo first, or inspect/extend the skill to use the GitHub API or gh CLI to create repos safely. - Sensitive data in backups: the script includes skills/ and memory/ in backups. Inspect the memory/ and skills/ contents for secrets, API keys, or credentials before backing them up. The SKILL.md claims 'API Keys not backed up', but that depends entirely on what files actually contain; do not assume secrets are excluded automatically. - Storage location and permissions: the script expects /root/.openclaw/workspace (and SKILL.md sometimes uses ~/.openclaw). Run the script as a non-root user where possible, confirm paths, and check file ownership and permissions so backups are not readable by unintended users. - Cron scheduling: the skill uses openclaw cron. Verify that 'openclaw cron add' behaves as expected in your environment and that scheduled jobs do not leak tokens (e.g., via command-line arguments visible in process lists or logs). - Safer alternatives: consider using a deploy key or repository-specific token with minimal permissions, using a Git credential helper or GPG-encrypted secrets in the repo, or using a hosted backup solution. If you proceed, rotate the token after initial testing and limit its scope and lifetime. If you want, I can: (1) produce a safer version of the backup script that avoids writing the token into .git/config (for example, using a temporary credential helper or GIT_ASKPASS wrapper), (2) add a repository-creation step using the GitHub API/gh with explicit permission guidance, or (3) produce a checklist of files to exclude from backups.

Review Dimensions

Purpose & Capability: concernThe description claims the skill will 'create the repository' and fully automate setup, but neither SKILL.md nor scripts perform repository creation via the GitHub API or gh/HTTP calls. The script simply expects a GitHub username, repo name and token and pushes — so a pre-existing repo (or manual creation) is actually required. Also the SKILL.md and script reference both /root/.openclaw/workspace and ~/.openclaw/workspace inconsistently.
Instruction Scope: concernThe runtime instructions ask the user to paste a repo-scoped GitHub token into the agent and then run git operations that will add and push files including skills/ and memory/. 'memory/' may contain sensitive secrets. The script embeds the token into the remote URL (git remote set-url https://x-access-token:TOKEN@github.com/...), which writes the token into the repository's .git/config in plaintext. The SKILL.md instructs scheduling via openclaw cron and running commands under /root, which implies root workspace access.
Install Mechanism: okThis is an instruction-only skill with a small shell script included; there is no install spec or remote download. That minimizes install-time risk.
Credentials: concernRequesting a GitHub token with repo scope is proportionate for pushing backups, but the agent asks the user to paste that token (sensitive) and the provided implementation stores it in git config (exfiltration risk if the workspace is shared). The skill does not declare required env vars explicitly, and there is no guidance to limit the token's scope or lifetime.
Persistence & Privilege: okalways:false and no install hook means the skill does not demand permanent/force-included privileges. It uses openclaw cron (normal for scheduled tasks) but does not modify other skills or global configs beyond the repository remote in the workspace.