openclaw-backup-restore Security Report — Low Risk | ClawSafe

25 /100

openclaw-backup-restore

Backup, restore, validate, and GitHub-sync OpenClaw workspace state files with versioning, rollback, and off-machine recovery

Legitimate backup/restore skill with well-designed sanitization, but SKILL.md fails to declare its use of git operations (shell:WRITE equivalent) and network access, creating a doc-to-code mismatch.

Skill Nameopenclaw-backup-restore

Duration58.5s

Enginepi

✓

Safe to install

Add an 'allowed-tools' declaration and a 'Security Notes' section to SKILL.md explicitly listing git operations and the backup repo sync feature. This will close the doc deception gap without requiring any code changes.

Findings 3 items

Severity	Finding	Location
Medium	Git sync feature completely absent from SKILL.md Doc Mismatch scripts/backup-and-push.mjs performs git clone, fetch, add, commit, and push operations to sync backups to a remote repository. SKILL.md has a 'Daily GitHub Backup' section but only describes node scripts/backup-and-push.mjs, never mentioning the underlying git operations, the BACKUP_REPO_DIR environment variable, or that it clones a remote repo locally. This is a significant doc-to-code mismatch. `node scripts/backup-and-push.mjs --remote origin` → Add a section to SKILL.md explicitly describing git operations: 'Uses git clone/fetch/push to sync backup directory to a remote repository. Stores a local mirror at ~/.openclaw/backup-repos/'. Declare network:READ and shell:WRITE in allowed-tools.	`SKILL.md:48`
Low	No allowed-tools declaration in SKILL.md Priv Escalation SKILL.md declares no allowed-tools section. The capability model requires explicit permission declarations. The skill infers filesystem:WRITE, network:READ, shell:WRITE (via git), and environment:READ, none of which are declared. `No allowed-tools section found` → Add 'allowed-tools: Bash → shell:WRITE, Read → filesystem:READ, Write → filesystem:WRITE' to the skill header. Explicitly note that git operations require shell:WRITE equivalent access.	`SKILL.md:1`
Low	openclaw.json access not prominently flagged Sensitive Access backup.mjs reads ~/.openclaw/openclaw.json by default (via --raw-openclaw-config flag default in backup-and-push.mjs) and backs up agent files from ~/.openclaw/agents. SKILL.md briefly mentions TOOLS.md but does not prominently warn that API keys, tokens, and credentials stored in openclaw.json and TOOLS.md are being accessed and stored in backups. `openclaw.json is referenced only as 'optional real openclaw.json'` → Add a prominent 'Sensitive Data Handling' section warning that openclaw.json (containing API keys) and TOOLS.md (containing tool configurations) are backed up. Note that --raw-openclaw-config stores the raw file with secrets intact.	`SKILL.md:17`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	backup.mjs:109 copies workspace files to backup dir; restore.mjs:139 writes file…
Network	`NONE`	`READ`	✗ Violation	backup-and-push.mjs:44 git remote get-url; lines 46-55 git clone/fetch/pull/push
Shell	`NONE`	`WRITE`	✗ Violation	backup-and-push.mjs:35-37 spawnSync('git', [...]) — git add/commit/push are shel…
Environment	`NONE`	`READ`	✗ Violation	backup.mjs:28 OPENCLAW_BACKUP_DIR; restore.mjs:21, list.mjs:18, validate.mjs:18 …
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation observed

1 Critical 12 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl | bash

FINAL-DELIVERY-REPORT.md:168

🔗

Medium External URL 外部 URL

https://keepachangelog.com/en/1.0.0/

CHANGELOG.md:5

🔗

Medium External URL 外部 URL

https://semver.org/spec/v2.0.0.html

CHANGELOG.md:6

🔗

Medium External URL 外部 URL

https://discord.com/invite/clawd

CONTRIBUTING.md:58

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

QUICKSTART.md:155

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:5

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/node-%3E%3D18-brightgreen

README.md:6

🔗

Medium External URL 外部 URL

https://nodejs.org/

README.md:6

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/openclaw-workspace-backup-restore

README.md:305

🔗

Medium External URL 外部 URL

https://clawhub.com

README.md:320

🔗

Medium External URL 外部 URL

https://clawlite.ai

README.md:321

File Tree

25 files · 128.5 KB · 4648 lines

Markdown 14f · 3369L JavaScript 6f · 1162L JSON 2f · 59L Shell 3f · 58L

├─ ▾ 📁 examples

│ ├─ 🔧 automated-backup.sh Shell 16L · 507 B

│ ├─ 🔧 basic-backup.sh Shell 22L · 520 B

│ └─ 🔧 pre-deployment-hook.sh Shell 20L · 536 B

├─ ▾ 📁 scripts

│ ├─ 📜 backup-and-push.mjs JavaScript 121L · 4.0 KB

│ ├─ 📜 backup.mjs JavaScript 275L · 7.8 KB

│ ├─ 📜 list.mjs JavaScript 164L · 4.4 KB

│ ├─ 📜 restore.mjs JavaScript 264L · 7.7 KB

│ └─ 📜 validate.mjs JavaScript 210L · 5.9 KB

├─ ▾ 📁 tests

│ └─ 📜 test.mjs JavaScript 128L · 4.4 KB

├─ 📋 _meta.json JSON 5L · 109 B

├─ 📝 CHANGELOG.md Markdown 46L · 1.9 KB

├─ 📝 CONTRIBUTING.md Markdown 58L · 1.3 KB

├─ 📝 DELIVERY_REPORT.md Markdown 348L · 10.4 KB

├─ 📝 EXAMPLES.md Markdown 147L · 3.3 KB

├─ 📝 FEATURE_DEFINITION.md Markdown 321L · 10.2 KB

├─ 📝 FINAL-DELIVERY-REPORT.md Markdown 336L · 11.4 KB

├─ 📝 P0-1-DELIVERY-REPORT.md Markdown 254L · 7.0 KB

├─ 📝 P0-2-DELIVERY-REPORT.md Markdown 296L · 7.1 KB

├─ 📋 package.json JSON 54L · 1.5 KB

├─ 📝 QUICKSTART.md Markdown 155L · 3.0 KB

├─ 📝 README.md Markdown 325L · 7.8 KB

├─ 📝 RELEASE_CHECKLIST.md Markdown 355L · 8.4 KB

├─ 📝 RELEASE-CHECKLIST.md Markdown 110L · 3.2 KB

├─ 📝 RUNBOOK.md Markdown 313L · 8.0 KB

└─ 📝 SKILL.md Markdown 305L · 8.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`none (Node.js built-ins only)`	`N/A`	stdlib	No	Uses only: fs, path, crypto, os, child_process, util — no external packages

Security Positives

✓ No external npm dependencies — only uses Node.js built-in modules (fs, path, crypto, os, child_process), eliminating supply chain risk

✓ Pre-restore safety backup: every restore operation automatically creates a pre-restore backup before modifying workspace files

✓ SHA-256 hash verification in manifest prevents silent backup corruption

✓ No base64-encoded payloads, no eval(), no obfuscated code — all scripts are plain, readable JavaScript

✓ Dry-run mode for restore prevents accidental data loss

✓ No credential harvesting or exfiltration: git operations target user-specified remotes only

✓ Backups stored under user-controlled paths (OPENCLAW_BACKUP_DIR env var override supported)

✓ The 'curl | bash' pre-scan IOC is a false positive — it appears only as documentation text in FINAL-DELIVERY-REPORT.md discussing ClawLite's installer, not as executed code

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives