安全决策报告
backup-2-github
Hardcoded default GitHub repository could silently exfiltrate user configuration data to an unintended third-party repository if token is set but repo is not configured.
最直接的威胁证据
01
User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config) 初始入口 · backup.py
02
User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup' 权限提升 · backup.py
03
All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo 最终危害 · backup.py
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
User installs skill and sets GITHUB_TOKEN env var (e.g., from CI/CD or shared config)
初始入口 · backup.py:24
02
User runs backup without configuring GITHUB_REPO, skill silently uses default 'fangbb-coder/OC-backup'
权限提升 · backup.py:27
03
All user configs (USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, cron configs) pushed to hardcoded third-party repo
最终危害 · backup.py:134
04
Attacker (repo owner 'fangbb-coder') gains access to user's full AI persona, identity, tools, and schedule data
最终危害 · _clawsafe/pre-scan.json
风险分是怎么被拉高的
Hardcoded default repo with user token +40
Default GITHUB_REPO='fangbb-coder/OC-backup' means user's GitHub token will push sensitive configs to a third-party repo if only GITHUB_TOKEN is set
Doc-code mismatch on credentials +15
SKILL.md mentions backing up credentials/*.json but BACKUP_FILES in backup.py does not include this path
Unpinned dependency versions +10
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing supply chain attacks via version upgrades
最关键的证据
高危 数据外泄
Hardcoded Default Repository Exposes User Data
The GITHUB_REPO defaults to 'fangbb-coder/OC-backup'. If a user sets only GITHUB_TOKEN (or has it from another context) without configuring GITHUB_REPO, their entire OpenClaw configuration — including USER.md, IDENTITY.md, SOUL.md, TOOLS.md, MEMORY.md, openclaw.json, and cron configs — will be silently pushed to the hardcoded third-party repository.
backup.py:27 Remove the default value. Require GITHUB_REPO to be explicitly set, and fail with a clear error message if not configured.
中危 文档欺骗
Credentials Backup Claimed But Not Implemented
SKILL.md explicitly mentions backing up 'credentials/*.json (Xiaohongshu cookies, etc.)' but the BACKUP_FILES list in backup.py does not include any credentials paths. This creates a false expectation for users seeking credential backup functionality.
SKILL.md:24 Either add credentials paths to BACKUP_FILES or remove this claim from documentation.
中危 供应链
Unpinned Dependency Versions
PyGithub uses >=1.59.0 and python-dotenv uses >=1.0.0, allowing automatic upgrades to newer versions that could introduce malicious code.
requirements.txt:1 Pin exact versions (e.g., PyGithub==1.59.1) to prevent supply chain attacks.
低危 敏感访问
Undeclared Environment Variable Access
The skill reads GITHUB_TOKEN and GITHUB_REPO from environment variables but does not declare 'environment' as a capability in SKILL.md or skill.yaml.
backup.py:24 Declare 'environment: READ' capability in skill.yaml capabilities list.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 READ
Reads ~/.openclaw/workspace and ~/.openclaw paths only for backup purposes 网络访问 阻止
声明 WRITE
→ 推断 WRITE
SKILL.md declares 'github' capability but backup.py silently defaults to hardcoded repo without explicit consent 环境变量 阻止
声明 NONE
→ 推断 READ
Reads GITHUB_TOKEN and GITHUB_REPO from env vars without declaring in SKILL.md 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution found 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| PyGithub | >=1.59.0 | pip | 否 | Version not pinned, uses >= constraint |
| python-dotenv | >=1.0.0 | pip | 否 | Version not pinned, uses >= constraint |
文件构成
5 个文件 · 542 行
Python 1 个文件 · 283 行Markdown 2 个文件 · 241 行YAML 1 个文件 · 15 行Text 1 个文件 · 3 行
需关注文件 · 3
backup.py Hardcoded Default Repository Exposes User Data · Undeclared Environment Variable Access
SKILL.md Credentials Backup Claimed But Not Implemented
requirements.txt Unpinned Dependency Versions
其他文件 · README.md · skill.yaml
安全亮点
No shell execution (subprocess, os.system, curl|bash) — legitimate use of PyGithub API client
No base64 encoding, eval, or obfuscation detected
No hardcoded credentials in source code
Dry-run mode allows safe preview without data transfer
Uses .env file pattern for token storage (not hardcoded)
Exclusion patterns prevent accidental backup of large/cached files