Is simple-backup safe?

https://clawhub.ai/VACInc/simple-backup

68
CAUTION

Simple-backup is a functionally legitimate backup utility, but its design creates significant exfiltration risk. The script backs up entire workspace and state directories (including credentials and auth tokens), can sync encrypted archives to an attacker-controlled remote via rclone, exposes the encryption passphrase on the command line, and declares wildcard npm dependencies on system binary names creating a dependency confusion vector. Filesystem monitoring also detected reads of .env and .aws/credentials during the install phase.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 42/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

HIGH Backs up entire state directory including credentials -25

The script uses rsync to copy the entire ~/.openclaw state directory, which contains agent configuration, auth profiles, and potentially API keys/tokens. This data is then compressed and encrypted, but the encryption password could be known to an attacker who controls the skill config.

HIGH Rclone sync can send data to attacker-controlled remote -20

The remoteDest config value controls where encrypted backups are synced. If an attacker can modify the skill config in openclaw.json (via another skill, social engineering, or config injection), all backup archives are silently sent to the attacker's storage.

HIGH Sensitive files accessed during install phase -13

Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the skill installation. While these may be from the OpenClaw framework rather than the skill itself, the access pattern is concerning.

HIGH Executable shell script with broad filesystem access -30

The skill ships a bash script registered as a binary that runs tar, gpg, rsync, and rclone with full user privileges. The script operates on user-configurable paths without input sanitization.

MEDIUM Wildcard npm dependencies on system binary names -25

package.json declares dependencies on 'rclone' and 'gpg' with version '*'. These are system binaries, not npm packages. This creates a dependency confusion vector — if malicious npm packages with these names exist or are published, npm install would fetch and potentially execute them.

MEDIUM GPG passphrase exposed via command line -20

The encryption password is passed directly on the gpg command line via --passphrase, making it visible in process listings (/proc//cmdline on Linux, ps output). Any co-resident process or user could capture it.

MEDIUM Unsanitized user-configurable paths enable directory traversal -15

The script reads workspaceDir, stateDir, skillsDir, and backupRoot from user config and uses them directly in rsync and file operations. A malicious config value like '/' or '/etc' would cause the script to back up sensitive system directories.

MEDIUM Credential file reads during installation -30

The install phase triggered reads of .aws/credentials and .env files. Even if these are from the OpenClaw framework's install handler, the skill's presence in the install context correlates with the access.

LOW No prompt injection vectors detected -10

SKILL.md contains only standard documentation with no manipulation techniques, hidden instructions, or obfuscated content.

INFO All canary files intact 0

No honeypot files were accessed or modified during skill installation or execution.