Is openclaw-backup safe?
https://clawhub.ai/alex3alex/openclaw-backup
This skill is a legitimate OpenClaw backup utility, but it concentrates all credentials, API keys, auth tokens, and configuration into easily-portable tar.gz archives at a predictable location. The cron template enables autonomous unattended execution, creating a significant exfiltration surface if any other component is compromised. The install process accessed .aws/credentials and .env files unexpectedly. No network exfiltration was detected, and canary files were untouched.
Category Scores
Findings (9)
CRITICAL Backup consolidates all credentials into portable archive -40 ▶
The skill archives credentials/, agents/ (auth profiles), and workspace/ into a single tar.gz file at a predictable path (~/openclaw-backups/openclaw-YYYY-MM-DD_HHMM.tar.gz). This creates a high-value exfiltration target — any subsequent skill or agent action with file read + network access can exfiltrate all credentials in one operation.
HIGH Install process accessed sensitive files unexpectedly -25 ▶
During installation, the monitoring detected access to /home/oc-exec/.aws/credentials, /home/oc-exec/.env, and auth-profiles.json. A backup skill installation should not need to read AWS credentials or environment files. This may be OpenClaw platform behavior rather than skill-specific, but it represents unexpected sensitive file access during a skill install.
HIGH Executable shell script with broad filesystem access -35 ▶
scripts/backup.sh is a shell script that tars the entire ~/.openclaw/ directory. While currently benign, it is a mutation target — if the script is modified (by another skill or agent action), it could exfiltrate data, install persistence, or execute arbitrary commands. The script also uses 'xargs rm' for rotation which could be dangerous if filenames are manipulated.
HIGH Cron template enables autonomous unattended execution -30 ▶
The SKILL.md provides a cron configuration that triggers the agent to run backup.sh autonomously at 3 AM UTC daily in an 'isolated' session. This means the backup (and any modifications to backup.sh) would execute without user oversight. A compromised backup.sh could silently exfiltrate data on schedule.
MEDIUM Cron payload uses agentTurn for autonomous shell execution -15 ▶
The cron template's agentTurn payload instructs the agent to autonomously run a shell command. While this is a documented OpenClaw pattern, it means the skill configures the agent to execute commands without user initiation. The payload message references ~/.openclaw/backup.sh (not the skill's own scripts/backup.sh), which is a different file that may not exist or could be tampered with.
MEDIUM Backup files stored in predictable user-accessible location -15 ▶
Backups are stored in ~/openclaw-backups/ with a predictable naming pattern (openclaw-YYYY-MM-DD_HHMM.tar.gz). Any process or skill with home directory read access can locate and read these archives containing all credentials.
MEDIUM Restore procedure includes destructive commands -10 ▶
The restore instructions include 'rm -rf ~/.openclaw' in the rollback section and 'mv ~/.openclaw' which could lead to data loss if misapplied. A social engineering attack could leverage these instructions to trick users into destroying their configuration.
LOW backup.sh suppresses tar error output -10 ▶
The backup script redirects tar's stderr to /dev/null (2>/dev/null), which would hide any error messages including permission denied errors that might indicate the script is accessing unexpected files.
INFO OpenClaw platform files accessed during install -5 ▶
Multiple reads of openclaw.json, .profile, and .bashrc appear to be standard OpenClaw platform initialization behavior rather than skill-specific actions. The /tmp/jiti/ files are JIT compilation cache.