← Back to Skills Marketplace
197
Downloads
0
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install openclaw-webdav-backup
Description
Backup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV uplo...
Usage Guidance
This package appears to implement the described backup features, but review the following before running it:
- Supply your own WebDAV credentials and consider using --encrypt-config before any remote upload. The scripts expect WEBDAV_URL/WEBDAV_USER/WEBDAV_PASS (via .env.backup or env vars) and a decryption password (BACKUP_ENCRYPT_PASS or .env.backup.secret) for encrypted config — the registry metadata did not list these required inputs.
- Inspect ~/.openclaw/openclaw.json: the notify script will try to read it to auto-fill a Telegram bot token if you didn’t provide one. If you do not want the backup tool to read or use tokens stored there, set BACKUP_NOTIFY=0 and explicitly supply tokens only in the notify env file when needed.
- Run a dry-run locally (no --upload) and inspect what files would be archived and what is excluded. Confirm the exclude lists (.env.backup, .env.backup.secret) and that no other secrets are being packaged unintentionally.
- Because the package is script-based, run it in a controlled environment (or a VM/container) first to confirm behavior and to audit logs and network calls. Check the notification scripts (Telegram/WeCom/Feishu) to ensure they only call the expected endpoints when enabled.
- If you need higher assurance, request an explicit manifest from the publisher that lists expected environment variables and any paths the skill will read (especially ~/.openclaw/openclaw.json).
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-webdav-backup
Version: 1.2.7
The skill is classified as suspicious due to high-risk implementation patterns and potential vulnerabilities. Specifically, `openclaw-restore.impl.sh` and `openclaw-backup.impl.sh` utilize `eval` for command execution, which presents a shell injection risk if variables are not properly sanitized. The skill's core functionality involves accessing sensitive configuration data (`openclaw.json`), encrypting it, and transmitting it to external WebDAV and notification endpoints (Telegram, WeCom, and Feishu). While these actions are aligned with the stated purpose of a backup and migration utility, the combination of broad file system access, network exfiltration of secrets, and insecure shell coding practices warrants a cautious classification.
Capability Assessment
Purpose & Capability
The name and description match the scripts and documentation: it implements local backups, incremental strategies, optional config encryption, WebDAV upload, and notifications. However the registry metadata claims 'Required env vars: none' while the implementation expects .env.backup, .env.backup.secret and various BACKUP_* and WEBDAV_* variables — the mismatch is a documentation/manifest inconsistency that should be clarified.
Instruction Scope
Most runtime instructions stay within the backup/restore scope. Notable scope creep: the notify script will attempt to read ~/.openclaw/openclaw.json to extract a Telegram bot token if no token is supplied explicitly. Reading the user's main OpenClaw config to auto-discover bot tokens or other secrets is a convenience but also a privacy risk because that file may contain other service tokens/credentials. The scripts also access standard system paths (HOME, ~/.openclaw) and expect .env files; they exclude .env.backup and .env.backup.secret from archives which is good practice.
Install Mechanism
There is no network install step or download-from-URL; the package includes shell scripts and libraries. No install spec present (instruction-only/packaged scripts). This keeps install risk low — nothing will automatically fetch/extract remote code — but running the included scripts will execute the packaged code on disk.
Credentials
Although registry metadata lists no required env vars, the scripts rely on several sensitive environment values and files (.env.backup with WEBDAV_URL/USER/PASS, .env.backup.secret or BACKUP_ENCRYPT_PASS, BACKUP_NOTIFY* tokens). Requiring WebDAV credentials and an optional encryption password is proportional to the stated purpose, but the silent fallback behavior (reading ~/.openclaw/openclaw.json for Telegram tokens) increases the blast radius by allowing the tool to access stored tokens that the user may not expect it to use. The number of optional variables is moderate and mostly justified, but the manifest should explicitly declare them.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configuration. It writes backups, logs, snapshots and temporary files under the user's workspace and ~/.openclaw which is expected for a backup tool. It uses file locking and cleanup traps; no evidence it tries to persist beyond normal backup artifacts.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-webdav-backup - After installation, invoke the skill by name or use
/openclaw-webdav-backup - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.7
Add restore verification mode (--verify-restore/--test-restore), validate checksums and encrypted config recovery safely, and remove internal ROADMAP.md from published package.
v1.2.6
Enterprise notifications, WebDAV retry hardening, set -e fixes, explicit compressor selection fixes, env override fixes, and changelog updates
v1.2.3
Fixed local keyword errors, gzip compression, and trap scope issues that caused backup failures
v1.2.2
Security fixes (path safety, race conditions, token masking), reliability improvements (disk check, integrity verification, SHA-256 checksums), optimizations (pipefail, zstd compression, cleanup library)
v1.2.1
Add dependency check (--check-deps) for pre-restore verification
v1.2.0
Diff Preview, Portable Export, Environment Templating, Operation Logging, Migration Scripts
v1.1.0
Incremental backups (smart/daily/hourly strategies), backup version management (list/latest/delete), integrity verification, health checks
v1.0.0
Initial public release: OpenClaw backup and restore with optional config encryption, WebDAV upload, retention, cron scheduling, restore drill guidance, and Telegram notifications for scheduled runs.
Metadata
Frequently Asked Questions
What is OpenClaw WebDAV Backup?
Backup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV uplo... It is an AI Agent Skill for Claude Code / OpenClaw, with 197 downloads so far.
How do I install OpenClaw WebDAV Backup?
Run "/install openclaw-webdav-backup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw WebDAV Backup free?
Yes, OpenClaw WebDAV Backup is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw WebDAV Backup support?
OpenClaw WebDAV Backup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw WebDAV Backup?
It is built and maintained by ifox2046 (@ifox2046); the current version is v1.2.7.
More Skills