openclaw-backup

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The skill implements appropriate backup/restore capabilities for its stated purpose, but contains insecure secret-handling practices that materially increase the risk of data exposure: it prints generated passwords to stdout/stderr and stores them in plaintext in a workspace recovery file (.openclaw-backup-recovery.txt). The guidance to optionally commit that file to version control is dangerous. There is no clear evidence of malware (no obfuscation, no hidden network endpoints, no code-execution backdoors in the provided text), but the design choices around secret storage and logging are unsafe and warrant treating the skill as SUSPICIOUS until those issues are fixed (encrypt or protect recovery records, stop printing secrets to logs, avoid recommending committing recovery data to VCS, and consider stronger key management). LLM verification: The skill implements a functional encrypted backup/restore workflow but includes multiple insecure operational practices that materially increase data-exfiltration and credential-exposure risk. Primary issues: plaintext persistence and emission of auto-generated decryption passwords; reliance on an unaudited third-party storage domain without documented authentication/attestation; and unpinned installation guidance. I do not find explicit evidence of malicious code in the provided description, b