中文 EN

Scan Report

Scan New Files

High Risk — Risk Score 65/100
Last scan:18 hr ago Rescan
65 /100
backup-2-github
Backup OpenClaw personalized configuration and user data to GitHub
Hardcoded default GitHub repository could silently exfiltrate user configuration data to an unintended third-party repository if token is set but repo is not configured.
Skill Namebackup-2-github
Duration39.1s
Enginepi
Do not install this skill
Remove the hardcoded default repository 'fangbb-coder/OC-backup' and require explicit GITHUB_REPO configuration. This prevents accidental data exfiltration to an external repository.

Attack Chain 4 steps

Entry User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config)
backup.py:24
Escalation User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup'
backup.py:27
Impact All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo
backup.py:134
Impact Attacker (repo owner 'fangbb-coder') gains access to user's full AI persona, identity, tools, and schedule data
_clawsafe/pre-scan.json

Findings 4 items

Severity Finding Location
High
Hardcoded Default Repository Exposes User Data Data Exfil
The GITHUB_REPO defaults to 'fangbb-coder/OC-backup'. If a user sets only GITHUB_TOKEN (or has it from another context) without configuring GITHUB_REPO, their entire OpenClaw configuration — including USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, and cron configs — will be silently pushed to the hardcoded third-party repository.
GITHUB_REPO = os.getenv("GITHUB_REPO", "fangbb-coder/OC-backup")
→ Remove the default value. Require GITHUB_REPO to be explicitly set, and fail with a clear error message if not configured.
 backup.py:27
Medium
Credentials Backup Claimed But Not Implemented Doc Mismatch
SKILL.md explicitly mentions backing up 'credentials/*.json (Xiaohongshu cookies, etc.)' but the BACKUP_FILES list in backup.py does not include any credentials paths. This creates a false expectation for users seeking credential backup functionality.
Credentials** (optional): `credentials/*.json` (Xiaohongshu cookies, etc.)
→ Either add credentials paths to BACKUP_FILES or remove this claim from documentation.
 SKILL.md:24
Medium
Unpinned Dependency Versions Supply Chain
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing automatic upgrades to newer versions that could introduce malicious code.
PyGithub>=1.59.0
→ Pin exact versions (e.g., PyGithub==1.59.1) to prevent supply chain attacks.
 requirements.txt:1
Low
Undeclared Environment Variable Access Sensitive Access
The skill reads GITHUB_TOKEN and GITHUB_REPO from environment variables but does not declare 'environment' as a capability in SKILL.md or skill.yaml.
GITHUB_TOKEN = os.getenv("GITHUB_TOKEN")
→ Declare 'environment: READ' capability in skill.yaml capabilities list.
 backup.py:24
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Reads ~/.openclaw/workspace and ~/.openclaw paths only for backup purposes
Network WRITE WRITE ✗ Violation SKILL.md declares 'github' capability but backup.py silently defaults to hardcod…
Environment NONE READ ✗ Violation Reads GITHUB_TOKEN and GITHUB_REPO from env vars without declaring in SKILL.md
Shell NONE NONE No shell execution found

File Tree

5 files · 15.3 KB · 542 lines
Python 1f · 283L Markdown 2f · 241L YAML 1f · 15L Text 1f · 3L
├─ 🐍 backup.py Python 283L · 7.9 KB
├─ 📝 README.md Markdown 133L · 3.7 KB
├─ 📄 requirements.txt Text 3L · 60 B
├─ 📝 SKILL.md Markdown 108L · 3.4 KB
└─ 📋 skill.yaml YAML 15L · 288 B

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
PyGithub >=1.59.0 pip No Version not pinned, uses >= constraint
python-dotenv >=1.0.0 pip No Version not pinned, uses >= constraint

Security Positives

✓ No shell execution (subprocess, os.system, curl|bash) — legitimate use of PyGithub API client
✓ No base64 encoding, eval, or obfuscation detected
✓ No hardcoded credentials in source code
✓ Dry-run mode allows safe preview without data transfer
✓ Uses .env file pattern for token storage (not hardcoded)
✓ Exclusion patterns prevent accidental backup of large/cached files