openclaw-backup Security Report — High Risk | ClawSafe

65 /100

openclaw-backup

OpenClaw backup and restore tool

Skill claims to include PowerShell backup scripts that do not exist in the package, creating a doc-to-code mismatch. The skill references backing up 'FluxA Wallet' (crypto wallet) and OpenClaw configs without providing actual implementation files.

Skill Nameopenclaw-backup

Duration36.3s

Enginepi

⛔

Do not install this skill

Do not use this skill until actual scripts are provided and verified. Request the developer to include the actual PowerShell scripts referenced in the documentation.

Findings 4 items

Severity	Finding	Location
High	Missing implementation scripts Doc Mismatch SKILL.md and README.md describe four PowerShell scripts (quick_backup.ps1, full_backup.ps1, restore_backup.ps1, list_backups.ps1) but the scripts/ directory does not exist in the package. Only documentation files are present. `### quick_backup.ps1 用途: 快速备份核心文件...` → Request developer to include actual implementation scripts before use	`SKILL.md:117`
Medium	FluxA Wallet backup without explanation Sensitive Access The skill claims to backup 'FluxA Wallet' configuration. FluxA appears to be a cryptocurrency wallet. The documentation does not explain what data is being backed up, where FluxA stores its data, or how this data is handled. `📦 备份 FluxA Wallet... ✅ FluxA 配置` → Clarify what FluxA data is accessed and ensure no private keys or seed phrases are exposed	`SKILL.md:25`
Medium	Auto-backup schedule mechanism undeclared Doc Mismatch SKILL.md mentions 'autoBackupSchedule' cron configuration and Windows Task Scheduler integration but no actual implementation of scheduled task creation is provided. `autoBackupSchedule \| "0 2 * * *" \| 自动备份 cron 表达式` → Clarify how scheduled backups are implemented without providing persistence mechanisms	`SKILL.md:69`
Low	No allowed-tools declaration Priv Escalation SKILL.md does not include the allowed-tools mapping section that defines what tools the skill can use and at what permission levels. `No allowed-tools section found` → Add allowed-tools declaration to clearly state filesystem/shell access requirements	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ,WRITE`	`UNKNOWN`	✓ Aligned	SKILL.md describes backup/restore but no scripts exist to verify
Shell	`WRITE`	`UNKNOWN`	✓ Aligned	PowerShell scripts referenced but not present
Network	`NONE`	`NONE`	—	No network calls described in docs
credential	`NONE`	`UNKNOWN`	✓ Aligned	FluxA Wallet backup implies credential/access to crypto wallet data

3 findings

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/openclaw-backup

README.md:11

🔗

Medium External URL 外部 URL

https://clawhub.com/discuss

README.md:294

📧

Info Email 邮箱地址

[email protected]

README.md:295

File Tree

3 files · 12.2 KB · 593 lines

Markdown 2f · 580L JSON 1f · 13L

├─ 📋 _meta.json JSON 13L · 230 B

├─ 📝 README.md Markdown 301L · 6.2 KB

└─ 📝 SKILL.md Markdown 279L · 5.8 KB

Security Positives

✓ No base64-encoded content or obfuscation observed

✓ No credential exfiltration or external IP communications described

✓ No reverse shell or C2 infrastructure references

✓ Documentation is comprehensive and clear about intended behavior

✓ MIT license is included

Scan Report

Findings 4 items

File Tree

Security Positives