Skill Trust Decision
backup-2-github
Hardcoded default GitHub repository could silently exfiltrate user configuration data to an unintended third-party repository if token is set but repo is not configured.
Most direct threat evidence
01
User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config) Entry · backup.py
02
User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup' Escalation · backup.py
03
All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo Impact · backup.py
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
2 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config)
Entry · backup.py:24
02
User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup'
Escalation · backup.py:27
03
All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo
Impact · backup.py:134
04
Attacker (repo owner 'fangbb-coder') gains access to user's full AI persona, identity, tools, and schedule data
Impact · _clawsafe/pre-scan.json
What drove the risk score up
Hardcoded default repo with user token +40
Default GITHUB_REPO='fangbb-coder/OC-backup' means user's GitHub token will push sensitive configs to a third-party repo if only GITHUB_TOKEN is set
Doc-code mismatch on credentials +15
SKILL.md mentions backing up credentials/*.json but BACKUP_FILES in backup.py does not include this path
Unpinned dependency versions +10
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing supply chain attacks via version upgrades
Most important evidence
High Data Exfil
Hardcoded Default Repository Exposes User Data
The GITHUB_REPO defaults to 'fangbb-coder/OC-backup'. If a user sets only GITHUB_TOKEN (or has it from another context) without configuring GITHUB_REPO, their entire OpenClaw configuration — including USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, and cron configs — will be silently pushed to the hardcoded third-party repository.
backup.py:27 Remove the default value. Require GITHUB_REPO to be explicitly set, and fail with a clear error message if not configured.
Medium Doc Mismatch
Credentials Backup Claimed But Not Implemented
SKILL.md explicitly mentions backing up 'credentials/*.json (Xiaohongshu cookies, etc.)' but the BACKUP_FILES list in backup.py does not include any credentials paths. This creates a false expectation for users seeking credential backup functionality.
SKILL.md:24 Either add credentials paths to BACKUP_FILES or remove this claim from documentation.
Medium Supply Chain
Unpinned Dependency Versions
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing automatic upgrades to newer versions that could introduce malicious code.
requirements.txt:1 Pin exact versions (e.g., PyGithub==1.59.1) to prevent supply chain attacks.
Low Sensitive Access
Undeclared Environment Variable Access
The skill reads GITHUB_TOKEN and GITHUB_REPO from environment variables but does not declare 'environment' as a capability in SKILL.md or skill.yaml.
backup.py:24 Declare 'environment: READ' capability in skill.yaml capabilities list.
Declared capability vs actual capability
Filesystem Pass
Declared READ
→ Inferred READ
Reads ~/.openclaw/workspace and ~/.openclaw paths only for backup purposes Network Block
Declared WRITE
→ Inferred WRITE
SKILL.md declares 'github' capability but backup.py silently defaults to hardcoded repo without explicit consent Environment Block
Declared NONE
→ Inferred READ
Reads GITHUB_TOKEN and GITHUB_REPO from env vars without declaring in SKILL.md Shell Pass
Declared NONE
→ Inferred NONE
No shell execution found Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| PyGithub | >=1.59.0 | pip | No | Version not pinned, uses >= constraint |
| python-dotenv | >=1.0.0 | pip | No | Version not pinned, uses >= constraint |
File composition
5 files · 542 lines
Python 1 files · 283 linesMarkdown 2 files · 241 linesYAML 1 files · 15 linesText 1 files · 3 lines
Files of concern · 3
backup.py Hardcoded Default Repository Exposes User Data · Undeclared Environment Variable Access
SKILL.md Credentials Backup Claimed But Not Implemented
requirements.txt Unpinned Dependency Versions
Other files · README.md · skill.yaml
Security positives
No shell execution (subprocess, os.system, curl|bash) — legitimate use of PyGithub API client
No base64 encoding, eval, or obfuscation detected
No hardcoded credentials in source code
Dry-run mode allows safe preview without data transfer
Uses .env file pattern for token storage (not hardcoded)
Exclusion patterns prevent accidental backup of large/cached files