ClawHub

OpenClaw Backup

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for OpenClaw backups, but it includes high-impact restore and cleanup behavior that users should review before installing.

Install only if you are comfortable auditing the shell scripts first. Use dry-run restore before live restore, restore only trusted backups, inspect any restored pre-restart-check.sh before allowing it to run, and treat weekly verification as cleanup that can delete older backups. Keep secrets archives encrypted and avoid pushing them unless you intentionally choose to do so.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and instructs use of shell commands plus backup, restore, verification, and GitHub push operations, but the manifest shown in SKILL.md does not declare corresponding permissions. This creates a trust and review gap: an agent or reviewer may underestimate the skill's ability to read, write, and modify local state or invoke external tooling, which is especially risky for destructive restore and backup-maintenance workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose frames the skill as backup/restore and safe archive handling, but the detected behavior is materially broader: cron creation/deletion, retention pruning, orphan cleanup, snapshot cleanup, and GitHub repository creation all introduce additional state-changing and potentially destructive effects. This mismatch can cause operators or downstream agents to invoke the skill in contexts where they do not expect scheduling changes, file deletion, or remote publishing, increasing the chance of data loss, persistence changes, or unintended exfiltration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The restore flow executes a health-check script taken directly from the restored backup contents, meaning a malicious or tampered backup can achieve arbitrary code execution during restore. This is especially dangerous because the script runs after the target directory has been swapped into place, so simply restoring an untrusted archive can trigger execution without any integrity boundary beyond the backup artifact itself.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script named `weekly-verify.sh` performs far more than verification: it computes retention, deletes old backup run directories with `rm -rf`, removes orphan manifests, and deletes secrets archives when a manifest is missing. This is dangerous because a user or automation invoking it for integrity checking can unexpectedly lose backups, especially if manifests are corrupted or timestamps are malformed, turning a verification routine into a destructive maintenance action.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The partial-restore examples directly copy files into the live `~/.openclaw` tree and can overwrite existing workspace, config, or cron data without an explicit warning, backup step, or validation prompt. In a disaster-recovery guide this is especially risky because operators may run the commands under stress, causing accidental loss of current data or replacement of valid settings with stale backup content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow text explicitly states that the weekly verify process prunes retention data and cleans orphaned files, but it provides no warning that these actions may delete backup artifacts. In a backup/disaster-recovery skill, unclear destructive behavior can cause users to unintentionally remove needed recovery points, weakening recoverability and potentially causing data loss during an incident.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cleanup section deletes directories and files automatically without any explicit user-facing warning at execution time, despite operating on backup material and age-encrypted secrets. In scheduled or unattended contexts, this can silently destroy recovery artifacts, and if `BACKUP_DIR` is misconfigured or backup state is partially corrupted, the user may not realize data has been removed until restore is needed.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal