Openclaw Backup
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The backup/restore purpose is mostly coherent, but the GitHub push workflow can expose more sensitive backup material than the documentation implies.
Install only if you are comfortable backing up your OpenClaw workspace and, optionally, encrypted secrets. Before using GitHub push, verify the target repository is private and confirm whether a secrets archive will be included. Treat operational backups as sensitive, run restore with --dry-run first, and enable the daily cron only if you want ongoing background backups.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A backup containing .env files or agent auth profiles, although age-encrypted, may be uploaded to GitHub as part of a normal push when the user expected an operational-only upload.
The script can discover a secrets archive from the manifest and copy it to the GitHub repo even when the user did not pass --secrets.
if [ -n "$EXPECTED_SECRETS" ] && [ -f "$EXPECTED_SECRETS" ]; then
SECRETS_PATH="$EXPECTED_SECRETS"
...
if [ -n "$SECRETS_PATH" ]; then
cp "$SECRETS_PATH" "$REPO_DIR/archives/$(basename "$SECRETS_PATH")"
fiRequire an explicit --secrets flag and a confirmation prompt before pushing any secrets archive, and avoid pushing encrypted secrets unless there is a clear recovery need.
If a repo with the chosen name already exists and is public, operational backups containing workspace memory, prompts, scripts, and possibly encrypted secrets could be pushed publicly despite the private-backup framing.
The script only enforces --private when creating a new repository; an existing repository is used without checking whether it is private.
if gh repo view "$OWNER/$REPO_NAME" >/dev/null 2>&1; then info "Using existing repo: $OWNER/$REPO_NAME" gh repo clone "$OWNER/$REPO_NAME" "$WORK_DIR/$REPO_NAME" >/dev/null else info "Creating private repo: $OWNER/$REPO_NAME" gh repo create "$REPO_NAME" --private --clone ...
Check repository privacy before pushing, refuse public repos by default, and show the target repo and privacy status for user confirmation.
Even without API keys, operational backups may contain private context, business logic, instructions, or sensitive notes that should not be treated as harmless.
The operational archive intentionally includes persistent agent memory, prompts, scripts, and skills, and that archive is not encrypted by default.
`$HOME/.openclaw/workspace/` | Yes | Core agent memory, prompts, notes, local scripts, custom skills, active artifacts
Review operational archives before cloud or GitHub storage, and consider encrypting the operational archive too if the workspace contains private information.
Restoring an untrusted or tampered backup could execute shell code contained in that backup.
After restore, the script automatically runs a shell health-check script from the restored workspace if present.
HEALTHCHECK_SCRIPT="$OPENCLAW_DIR/workspace/scripts/pre-restart-check.sh" if [ -f "$HEALTHCHECK_SCRIPT" ]; then if ! bash "$HEALTHCHECK_SCRIPT"; then
Only restore trusted backups; inspect or remove workspace/scripts/pre-restart-check.sh before a real restore if the archive source is uncertain.
A mistaken restore or wrong archive can materially change the agent’s local configuration, memory, skills, and scheduled jobs.
A real restore can replace the local OpenClaw installation, but it is user-directed and prompts unless --force/--yes is used.
printf 'Restore into %s? Type RESTORE to continue: ' "$OPENCLAW_DIR" ... mv "$OPENCLAW_DIR" "$PRE_RESTORE_BACKUP" ... mv "$STAGING_DIR" "$OPENCLAW_DIR"
Run --dry-run first, verify the manifest and archive paths, and avoid --force unless operating in a controlled recovery procedure.
Backups may continue running in the background and producing archives until the cron job is removed.
The schedule script creates or replaces a persistent OpenClaw cron job that runs the backup command daily.
openclaw cron delete "$EXISTING_ID" >/dev/null ... openclaw cron create --json --name "$CRON_NAME" --cron "$CRON_EXPR" --system-event "$SYSTEM_EVENT"
Use scheduling only if you want recurring backups, and audit with `openclaw cron list` after installation.
The GitHub push workflow may fail or not include the intended ignore template; this is a provenance/reliability gap rather than evidence of hidden execution.
The script references templates/.gitignore, but that file is not present in the supplied file manifest.
cp "$SKILL_DIR/templates/.gitignore" "$REPO_DIR/.gitignore"
Include the referenced template file in the package or remove the dependency and document the expected .gitignore behavior.