clawclone Security Report — Suspicious | ClawSafe

45 /100

clawclone

Backup, clone, and migrate OpenClaw data across instances with cloud upload/download

ClawClone skill documents backup of API keys and tokens with cloud upload capability, but the implementation file (clawclone.mjs) is missing, making it impossible to verify actual behavior.

Skill Nameclawclone

Duration32.2s

Enginepi

⚠

Use with caution

Do not use until implementation files are provided and reviewed. The documented ability to backup credentials to an external cloud service raises significant data exfiltration concerns.

Findings 4 items

Severity	Finding	Location
High	Missing implementation file Doc Mismatch SKILL.md references 'clawclone.mjs' for all operations, but this file does not exist in the skill directory. Unable to verify actual functionality. `node clawclone.mjs push --name...` → Request implementation files before using this skill. Cannot verify stated functionality without code.	`SKILL.md:1`
High	Documented credential backup capability Credential Theft SKILL.md explicitly states 'Config: Optional: API keys and tokens (if configured)' can be included in backups and uploaded to cloud. `\| Config \| Optional: API keys and tokens (if configured) \|` → Remove credential backup capability or provide verifiable safeguards. Users should never backup credentials automatically.	`SKILL.md:23`
Medium	Undeclared shell execution Doc Mismatch SKILL.md documents node command execution but shell:WRITE permission is not declared in the metadata. `requires: bins: ['node', 'tar', 'npm']` → Declare shell:WRITE permission if subprocess execution is required.	`SKILL.md:6`
Low	Hardcoded API key placeholder Sensitive Access SKILL.md contains example with hardcoded API key placeholder at line 209. `export CLAWCLONE_API_KEY='your_clawclone_api_key'` → Use placeholder text like <YOUR_API_KEY> instead of 'your_clawclone_api_key' to avoid accidental credential exposure.	`SKILL.md:209`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:8 'write: ~/.openclaw/'
Network	`READ`	`WRITE`	✗ Violation	SKILL.md:9 'network: https' but upload operations implied
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md documents node clawclone.mjs execution

1 High 3 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_clawclone_api_key"

SKILL.md:209

🔗

Medium External URL 外部 URL

https://clawclone.cc

SKILL.md:3

🔗

Medium External URL 外部 URL

https://clawclone.cc/dashboard/settings

SKILL.md:49

File Tree

2 files · 5.7 KB · 231 lines

Markdown 1f · 220L JSON 1f · 11L

├─ 📋 package.json JSON 11L · 293 B

└─ 📝 SKILL.md Markdown 220L · 5.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`node`	`>=16.0.0`	system	No	System dependency, not a package manager dependency

Security Positives

✓ SKILL.md is well-structured and documents functionality clearly

✓ Test mode (--test flag) available for safe preview before operations

✓ Local operations don't require API key - cloud features are optional

✓ Pre-restore backups created automatically at ~/.openclaw/backup

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives