Backup and restore OpenClaw workspace, configs, and agent data to a Synology NAS via SMB. Use when: backing up workspace files, restoring from a snapshot, ch...
Security Analysis
high confidenceThe skill's code and instructions match its stated purpose (SMB backups to a Synology NAS); there are no unrelated credential requests or hidden network endpoints, but it requires normal system privileges (mounting, apt installs) and careful handling of the SMB credentials and any opt-in backup of .env files.
Name/description describe SMB backups to a Synology NAS and the included scripts (backup.sh, restore.sh, status.sh) implement exactly that. Required packages (cifs-utils, rsync) are documented in SKILL.md and are proportionate to the task. No unrelated services, keys, or binaries are requested.
SKILL.md and scripts stay within backup/restore/status boundaries. Scripts read only the declared config (~/.openclaw/synology-backup.json by default), the credentials file path, and files under ~/.openclaw and the configured mount. The restore script prompts for confirmation before overwriting. The documentation explicitly excludes .env by default and requires an opt-in to back it up.
No remote downloads or install spec included; scripts are shipped with the skill. SKILL.md recommends installing standard OS packages (apt-get install cifs-utils rsync), which is expected for SMB/rsync workflows and low risk compared to arbitrary downloads.
The skill does not request environment variables or external credentials from the platform. It reads a local credentials file (as documented) and an optional SYNOLOGY_BACKUP_CONFIG env var for an alternative config path — both are proportionate. The doc warns against inlining secrets and excludes .env by default.
always:false and normal autonomous invocation are used. The scripts require system-level actions (mounting CIFS, possibly adding an /etc/fstab entry, installing packages) which typically need root/sudo; this is expected for SMB mounts but requires the user to grant those privileges manually. The skill does not modify other skills or system-wide agent configs automatically.
Guidance
This skill appears to do exactly what it says: incremental backups to a Synology SMB share. Before installing or running it: 1) review and keep the SMB credentials file secure (use chmod 600 and consider root ownership if the credentials file is referenced from /etc/fstab); 2) do not opt in to backing up ~/.openclaw/.env (or any .env with API keys) unless you are confident the NAS share and dedicated user are tightly secured and you accept the risk; 3) expect to run package installs and mount commands with sudo and to edit /etc/fstab only if you understand the implications; 4) test on non-production data first (run backup and restore on a small sample) and verify snapshots and retention behave as expected; 5) consider encrypting very sensitive data before including it in backups. The scripts include input validation to reduce injection risk and prompt before destructive restores, but you should still inspect the files and run them in a controlled environment the first time.
Latest Release
v1.0.4
Security hardening: added regex validation for share (alphanumeric/slashes only), mountPoint (absolute path only), and backupPaths (no command substitution, semicolons, pipes, backticks, or path traversal). Added boolean validation for includeSubAgentWorkspaces. Restore workspace names validated against strict pattern. All config inputs now validated before any shell command execution.
More by @pfrederiksen
Published by @pfrederiksen on ClawHub
