openclaw-backup 安全扫描报告 — 高风险 | ClawSafe

65 /100

openclaw-backup

OpenClaw backup and restore tool

Skill claims to include PowerShell backup scripts that do not exist in the package, creating a doc-to-code mismatch. The skill references backing up 'FluxA Wallet' (crypto wallet) and OpenClaw configs without providing actual implementation files.

技能名称openclaw-backup

分析耗时36.3s

引擎pi

⛔

不要安装此技能

Do not use this skill until actual scripts are provided and verified. Request the developer to include the actual PowerShell scripts referenced in the documentation.

安全发现 4 项

严重性	安全发现	位置
高危	Missing implementation scripts 文档欺骗 SKILL.md and README.md describe four PowerShell scripts (quick_backup.ps1, full_backup.ps1, restore_backup.ps1, list_backups.ps1) but the scripts/ directory does not exist in the package. Only documentation files are present. `### quick_backup.ps1 用途: 快速备份核心文件...` → Request developer to include actual implementation scripts before use	`SKILL.md:117`
中危	FluxA Wallet backup without explanation 敏感访问 The skill claims to backup 'FluxA Wallet' configuration. FluxA appears to be a cryptocurrency wallet. The documentation does not explain what data is being backed up, where FluxA stores its data, or how this data is handled. `📦 备份 FluxA Wallet... ✅ FluxA 配置` → Clarify what FluxA data is accessed and ensure no private keys or seed phrases are exposed	`SKILL.md:25`
中危	Auto-backup schedule mechanism undeclared 文档欺骗 SKILL.md mentions 'autoBackupSchedule' cron configuration and Windows Task Scheduler integration but no actual implementation of scheduled task creation is provided. `autoBackupSchedule \| "0 2 * * *" \| 自动备份 cron 表达式` → Clarify how scheduled backups are implemented without providing persistence mechanisms	`SKILL.md:69`
低危	No allowed-tools declaration 权限提升 SKILL.md does not include the allowed-tools mapping section that defines what tools the skill can use and at what permission levels. `No allowed-tools section found` → Add allowed-tools declaration to clearly state filesystem/shell access requirements	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ,WRITE`	`UNKNOWN`	✓ 一致	SKILL.md describes backup/restore but no scripts exist to verify
命令执行	`WRITE`	`UNKNOWN`	✓ 一致	PowerShell scripts referenced but not present
网络访问	`NONE`	`NONE`	—	No network calls described in docs
凭据	`NONE`	`UNKNOWN`	✓ 一致	FluxA Wallet backup implies credential/access to crypto wallet data

3 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/openclaw-backup

README.md:11

🔗

中危外部 URL 外部 URL

https://clawhub.com/discuss

README.md:294

📧

提示邮箱邮箱地址

[email protected]

README.md:295

目录结构

3 文件 · 12.2 KB · 593 行

Markdown 2f · 580L JSON 1f · 13L

├─ 📋 _meta.json JSON 13L · 230 B

├─ 📝 README.md Markdown 301L · 6.2 KB

└─ 📝 SKILL.md Markdown 279L · 5.8 KB

安全亮点

✓ No base64-encoded content or obfuscation observed

✓ No credential exfiltration or external IP communications described

✓ No reverse shell or C2 infrastructure references

✓ Documentation is comprehensive and clear about intended behavior

✓ MIT license is included