MyClaw Backup — Powered by MyClaw.ai

Name/description, declared binaries (node, rsync, tar, python3, openclaw), and declared read/write permissions for ~/.openclaw match the implemented behavior. The scripts explicitly read and write OpenClaw state (workspace, openclaw.json, credentials, channels, agents, etc.), which is the stated goal.

SKILL.md and the included scripts are explicit about reading/writing ~/.openclaw and about scheduling and serving a web UI. That is in-scope for backup/restore. There are security-sensitive operations (restore overwrites files, schedule.sh edits crontab) and a built-in HTTP server that accepts uploads and serves downloads. The documentation and code implement safeguards (mandatory token to start server, POST /backup and POST /restore restricted to localhost in code). However: the server binds 0.0.0.0 (serve logs and listen on all interfaces), token is commonly passed in query parameters (appears in URLs/console output/UI), /health is unauthenticated, and the web UI can upload arbitrary .tar.gz files into the backup directory — so if the token or host exposure is misconfigured, an attacker with the token or an exposed port could download backups (containing bot tokens/API keys) or upload archives (which would not auto-restore remotely but could be a staging vector). These are security design notes rather than functional incoherence; the skill documents the risks and gives explicit warnings.

No external install downloader or remote code fetch; this is an instruction + script package that relies on local binaries. The included Node server uses child_process.execSync to run the shipped scripts (expected for this tool). No high-risk install steps (no arbitrary URL downloads or extract operations) are present.

The skill requests no external credentials or unrelated environment variables. It legitimately reads and writes ~/.openclaw (which contains secrets) for backup/restore. The only operational secret is the server token used to protect the HTTP UI; the skill does not request other unrelated keys. Note: token handling (appearing in query params and printed URLs) is less secure than header-only auth and increases risk of token leakage via logs or referers.

The skill does not set always:true and is user-invocable only. It does persist changes when invoked: schedule.sh modifies the user's crontab to add a recurring job, and serve.sh writes a pid file and logs in /tmp. These behaviors are expected for backup scheduling and a long-running UI but are persistent effects that require explicit user consent (crontab modification in particular).