Skills
skills/liuzln/openclaw-skills/openclaw-backup/Gen Agent Trust Hub

openclaw-backup

Warn

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The backup script targets openclaw.json and the agents configuration directories. Despite documentation stating that credentials are not backed up, these files are the standard locations for storing API keys and authentication tokens in the OpenClaw platform.
  • [COMMAND_EXECUTION]: The restore.py script uses the tarfile.extractall() method without security filters. This makes the system vulnerable to directory traversal attacks, where a malicious backup file could be crafted to overwrite arbitrary files on the user's filesystem during the restoration process.
  • [DATA_EXFILTRATION]: The skill's documentation encourages users to push their .tar.gz backups to GitHub. Given that these archives likely contain sensitive platform credentials, this practice significantly increases the risk of secret exposure if the repository is not strictly secured.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 9, 2026, 07:23 AM