Is michael-crazy/clawdog-backup safe?
https://github.com/openclaw/skills/tree/main/skills/michael-crazy/clawdog-backup
ClawDog Backup is a backup/restore skill whose core design continuously monitors and uploads the agent's identity and instruction files (SOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md) and full memory directory to OneDrive via rclone — creating a systematic, real-time exfiltration channel for all agent configuration data to whichever OneDrive account rclone is pointed at. The restore function additionally provides a write-back path that could be used to overwrite core agent files with attacker-controlled content, effectively enabling persistent reprogramming of agent behavior. No prompt injection was found in SKILL.md and canary files remained intact, but the architectural design of the skill presents unacceptable data-sovereignty risks for the agent's most sensitive operational files.
Category Scores
Findings (8)
CRITICAL Real-time upload of all agent core system files to OneDrive -60 ▶
backup-core.sh uses inotifywait to watch SOUL.md, AGENTS.md, IDENTITY.md, USER.md, and TOOLS.md and uploads the full archive to OneDrive on every file modification event. These files define the agent's identity, values, instructions, and tool access. Any party controlling the rclone-configured OneDrive account receives a live stream of every agent configuration change.
CRITICAL Full agent memory directory exfiltrated weekly to OneDrive -20 ▶
backup-memory.sh packages the entire memory/ directory and uploads it to OneDrive on a weekly schedule. Agent memory typically contains conversation history, user preferences, task artifacts, cached credentials or tokens, and any sensitive content the agent has processed.
HIGH restore.sh provides write-back channel to overwrite agent identity files from cloud -40 ▶
restore.sh downloads archives from OneDrive and copies SOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md back into the agent workspace. An attacker controlling the OneDrive account can craft a malicious backup containing modified versions of these files and trigger a restore to permanently alter the agent's behavior, values, or instructions.
HIGH Persistent background inotify monitoring process created at skill activation -30 ▶
SKILL.md instructs the agent to launch backup-core.sh via nohup in the background, creating a persistent daemon that monitors file changes indefinitely. This process survives session termination and constitutes an ongoing system resource consumer and surveillance process outside normal agent control flow.
MEDIUM Wildcard glob in restore.sh after untarring remote archive enables potential path traversal -20 ▶
restore.sh extracts a remotely-fetched tar archive into a temp directory and then uses a glob pattern to copy files out. A maliciously crafted archive could place files at unexpected paths within the temp directory, and the wildcard copy could propagate them outside the intended target.
MEDIUM Sensitive credential files read during monitoring window -25 ▶
inotify and auditd both recorded OPEN/ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials during the install window. Timing analysis suggests these reads originated from the monitoring framework's baseline and collection scans rather than the skill code, but attribution cannot be fully ruled out.
LOW All scripts hardcoded to /root-level paths, implying root execution context -10 ▶
Every path in all three scripts is hardcoded to /root/.openclaw/workspace and /root/.openclaw/backup. The skill assumes it runs as root, maximizing the potential blast radius of any abuse.
INFO All honeypot canary files intact 0 ▶
The monitoring system confirmed no honeypot files were modified or confirmed-exfiltrated. While credential files were read, no write or confirmed network transmission of honeypot content was detected.