Security Audit

openclaw-backup

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

openclaw-backup received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 35 findings: 18 critical, 16 high, 1 medium, and 0 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, File read + network send exfiltration.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

16 findings

Filesystem Write

31 findings

Shell Execution

18 findings

Dynamic Code

1 finding

Excessive Permissions

32 findings

Security Findings35

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Crontab manipulation (list/remove/edit) Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:457
CRITICAL	Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:12
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:33
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:61
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:62
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:63
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:64
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:67
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:68
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:72
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:486
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:492
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:499
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:502
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:505
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:529
CRITICAL	File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality.	Manifest	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:567
CRITICAL	Command injection vulnerability in restore_backup function The `restore_backup` function in the `openclaw-backup.sh` script directly uses the first command-line argument (`$1`) as the `backup_file` path in a `tar -xzvf` command. The shell performs command substitution (e.g., `$(command)`) on command-line arguments before the script even starts. An attacker controlling this argument can inject arbitrary shell commands, leading to arbitrary code execution with the privileges of the user running the script. For example, `./openclaw-backup.sh restore "$(rm -rf /)"` would execute `rm -rf /`. Implement strict input validation for the `backup_file` argument to ensure it contains only safe characters (e.g., alphanumeric, dots, hyphens, forward slashes) and does not contain any shell metacharacters or command substitutions. A whitelist approach using regular expressions is recommended. Alternatively, consider using a safer method for selecting backup files, such as presenting a numbered list to the user and having them choose an index, or using `read` to get input without shell expansion.	LLM	SKILL.md:228
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:33
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:61
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:62
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:63
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:64
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:67
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:68
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:72
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:486
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:492
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:499
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:502
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:505
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:529
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:567
HIGH	Instruction to execute unverified code from glot.io (Supply Chain Risk) The skill's setup instructions for macOS direct users to visit a `glot.io` snippet and execute its contents in their terminal. `glot.io` is a code-sharing platform, and executing code directly from such a source without prior review is a significant supply chain risk. The content of the snippet is not provided or verified within the skill package, making it a potential vector for arbitrary code execution on the user's machine if the snippet's content is malicious or compromised. Do not instruct users to execute code from unverified third-party pastebin-like services. If external code is required, it should be included directly in the skill package, hosted on a trusted and version-controlled platform (e.g., a specific commit/tag on GitHub), or provided with clear instructions for manual review and verification (e.g., checksums) before execution.	LLM	SKILL.md:17
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/hightower6eu/openclaw-backup-wrxw0/SKILL.md:83

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f9acc28c9ded7a2b.svg)](https://skillshield.io/report/f9acc28c9ded7a2b)