{ "trust": { "tier": "Dangerous", "emoji": "🔴", "description": "Multiple critical issues — do not install without thorough manual review", "score": 20 }, "format": "skill", "skill": { "name": "openclaw-checkpoint", "description": "Backup and restore OpenClaw workspace state and agents across machines using git. Enables disaster recovery by syncing SOUL.md, MEMORY.md, memory files, cron jobs, agents (~/.openclaw/agents/), and configuration to a remote repository. Use when user wants to checkpoint their OpenClaw state, restore on a new machine, migrate between computers, or protect against data loss. Provides commands checkpoint (help overview), checkpoint-setup (interactive onboarding), checkpoint-backup, checkpoint-restore (with interactive checkpoint selection or --latest for most recent), checkpoint-schedule (auto-backup), checkpoint-stop, checkpoint-status, checkpoint-init, and checkpoint-reset. Supports multi-agent backup with flags --workspace-only, --agents-only, and --agent . Automatically backs up cron jobs to memory/cron-jobs-backup.json on each checkpoint-backup.", "version": null, "slug": "openclaw-checkpoint" }, "scores": { "security": 0, "transparency": 6, "maintenance": 7, "overall": 2 }, "permissions": { "summary": "No declared permissions — minimal attack surface.", "environmentVariables": [], "binaries": [], "envVarCount": 0, "requiredBinCount": 0 }, "compoundThreats": [ { "id": "memory_exfiltration", "severity": "critical", "description": "Accesses agent memory/notes AND sends data externally — may leak personal data", "capabilities": [ "agent_memory", "network_out" ], "owasp": [ "LLM02", "LLM07" ], "owaspAsi": [ "ASI03", "ASI06" ] }, { "id": "credential_store_access", "severity": "critical", "description": "Accesses system credential store AND sends data externally", "capabilities": [ "credential_store", "network_out" ], "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ] }, { "id": "persistent_hijack", "severity": "high", "description": "Accesses agent memory AND writes files — may modify agent behavior persistently", "capabilities": [ "agent_memory", "file_write" ], "owasp": [ "LLM01", "LLM06" ], "owaspAsi": [ "ASI01", "ASI06" ] }, { "id": "memory_leak", "severity": "high", "description": "Accesses agent memory AND sends data externally — may leak conversation history", "capabilities": [ "agent_memory", "network_out" ], "owasp": [ "LLM02", "LLM07" ], "owaspAsi": [ "ASI06" ] } ], "permissionIntegrity": [ { "type": "undeclared_capability", "severity": "high", "description": "Makes network requests but does not declare curl/wget in required binaries", "declared": [], "actual": "network_out", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ] }, { "type": "undeclared_capability", "severity": "medium", "description": "Performs file operations but does not declare file-accessing binaries", "actual": "file_read+write", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ] }, { "type": "opaque_dependency", "severity": "medium", "description": "Installs packages at runtime — transitive dependencies are not auditable", "actual": "package_install", "owasp": [ "LLM03" ], "owaspAsi": [ "ASI04" ] }, { "type": "sensitive_access", "severity": "high", "description": "Accesses agent memory/configuration files", "actual": "agent_memory", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ] } ], "capabilities": [ "network_out", "agent_memory", "file_write", "package_install", "credential_store" ], "findings": [ { "severity": "medium", "category": "exfiltration", "description": "References agent memory files", "zone": "frontmatter", "zoneContext": "declaration", "file": "SKILL.md", "downgraded": false, "sample": "MEMORY.md", "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ], "confidence": "pattern" }, { "severity": "high", "category": "filesystem", "description": "Accesses shell history/config", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "~/.zshrc", "owasp": [ "LLM06" ], "owaspAsi": [ "ASI02" ], "confidence": "pattern" }, { "severity": "critical", "category": "shell_injection", "description": "Pipe-to-shell pattern (curl | sh) — supply chain attack vector", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "curl -fsSL https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/", "owasp": [ "LLM05", "LLM06" ], "owaspAsi": [ "ASI02", "ASI05" ], "confidence": "pattern" }, { "severity": "critical", "category": "shell_injection", "description": "Pipe to bash — executes piped content as shell commands", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "| bash", "owasp": [ "LLM05", "LLM06" ], "owaspAsi": [ "ASI02", "ASI05" ], "confidence": "pattern" }, { "severity": "high", "category": "credentials", "description": "References SSH/GPG private keys", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "ssh-key", "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ], "confidence": "pattern" }, { "severity": "high", "category": "credentials", "description": "Accesses .ssh directory", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": ".ssh/", "owasp": [ "LLM02" ], "owaspAsi": [ "ASI03" ], "confidence": "pattern" }, { "severity": "critical", "category": "shell_injection", "description": "Recursive delete from root or home — destructive command", "zone": "code", "zoneContext": "instruction", "file": "SKILL.md", "downgraded": false, "sample": "rm -rf ~", "owasp": [ "LLM05", "LLM06" ], "owaspAsi": [ "ASI02", "ASI05" ], "confidence": "pattern" } ], "summary": { "total": 7, "critical": 3, "high": 3, "medium": 1, "low": 0, "compoundThreats": 4, "integrityIssues": 4 }, "trustSignals": { "positive": [ { "signal": "described", "positive": true, "detail": "Has meaningful description" }, { "signal": "minimal_env", "positive": true, "detail": "No environment variables required" }, { "signal": "documented", "positive": true, "detail": "SKILL.md has substantial documentation" } ], "negative": [ { "signal": "versioned", "positive": false, "detail": "No version declared" }, { "signal": "opaque_deps", "positive": false, "detail": "Installs packages at runtime — transitive dependencies are unauditable" } ] }, "files": { "hasExecutableCode": false, "executableFiles": [], "totalFiles": 4 }, "humanSummary": "openclaw-checkpoint scores 20/100 (Dangerous). It declares no permissions. Accesses agent memory/notes AND sends data externally — may leak personal data. 2 undeclared capabilities detected — the skill does more than its permissions suggest. 3 critical pattern matches in code.", "auditedAt": "2026-04-23T03:41:51.802Z", "vtEnrichment": { "checked": 3, "flagged": 0, "urls": [ { "url": "https://raw.githubusercontent.com/AnthonyFrancis/openclaw-checkpoint/main/scripts/install-openclaw-checkpoint.sh", "malicious": 1, "suspicious": 0, "engines": 94, "cached": true }, { "url": "https://img.shields.io/badge/License-MIT-blue.svg", "malicious": 0, "suspicious": 0, "engines": 91, "cached": true }, { "url": "https://img.shields.io/badge/Platform-macOS%20%7C%20Linux-lightgrey.svg", "malicious": 0, "suspicious": 0, "engines": 97, "cached": true } ] } }