by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do exactly what it says: it collects your OpenClaw agent files (including credentials), AES-256 encrypts them with a locally generated passphrase, and uploads them to https://api.keepmyclaw.com. Before installing/using it, consider: (1) Trust the service: the source/homepage is missing — verify keepmyclaw.com's legitimacy and privacy policy; (2) Protect recovery data: the skill instructs the agent to create an account, a random password, an API key, and a passphrase — you m...详细分析 ▾
✓ 用途与能力
The name/description (encrypted off-site backup of OpenClaw agents) matches the scripts and SKILL.md: the skill reads ~/.openclaw, archives workspace/config/credentials/cron/agent dirs, encrypts with a local passphrase, and uploads to the Keep My Claw API. Required tools (curl, openssl, tar, jq, python3) are used and expected for this functionality.
ℹ 指令范围
The SKILL.md instructs the agent to programmatically register an account (create JWT and API keys), generate a random account password, poll for payment activation, and then create/store an API key and encryption passphrase locally. That behavior is consistent with automating onboarding but has privacy/consent implications: the agent creates credentials and will upload highly sensitive files (credentials directory) to a third-party endpoint. The instructions correctly confine file access to ~/.openclaw and write config to ~/.keepmyclaw, but the 'agent handles everything; human only clicks payment link' pattern means account creation happens mostly without interactive human input.
✓ 安装机制
No install spec; this is an instruction + script bundle. All code is included in the skill (no downloads or archives), so nothing external is installed during skill use beyond the service API calls. This minimizes install-time risk.
ℹ 凭证需求
The skill does not request environment variables but does read and upload sensitive local files (openclaw credentials, configs, cron jobs). That is proportionate to a full-agent backup tool, but it is high sensitivity: the API key and encryption passphrase are persisted under ~/.keepmyclaw and the backup contains credentials that, while encrypted, are stored off-host. Users should treat this as granting a third party access to secrets if the passphrase or API key are compromised or mishandled.
✓ 持久化与权限
The skill does not demand always:true or elevated platform privileges. It writes its own config/passphrase into ~/.keepmyclaw (expected for a backup client) and does not modify other skills or system-wide agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.12026/2/12
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install keepmyclaw
镜像加速npx clawhub@latest install keepmyclaw --registry https://cn.longxiaskill.com