← 返回 Skills 市场

OCTOOL for backup

Name: OCTOOL for backup
Author: donnieclaw

作者 Donnieclaw · GitHub ↗ · v1.0.17 · MIT-0

cross-platform ✓ 安全检测通过

303

总下载

当前安装

版本数

在 OpenClaw 中安装

/install octool

功能描述

Openclaw Visual Configuration Assistant. Provides secure wizard for local/Git backup and workspace migration.

安全使用建议

This skill appears coherent for a browser-based backup wizard, but take these precautions before installing or using it: 1) Manually review the full oc-tool.html (search for fetch/XHR/WebSocket, eval, atob/decoded strings, or hidden endpoints) to confirm there are no hidden network calls or obfuscated code. 2) Test the page offline (disconnect network) and confirm DevTools → Network shows zero requests before entering any token. 3) If you use Git mode, create a fine-grained GitHub PAT limited to the specific repo and only 'contents: read & write' as recommended. 4) Always inspect generated shell commands before pasting them into your terminal; even well-intentioned scripts can be harmful if executed incorrectly. 5) Prefer running the tool in a disposable or isolated browser profile/tab and close the tab to ensure sessionStorage is cleared. If you want higher assurance, provide the full oc-tool.html for a complete code audit (I only saw a truncated excerpt here).

功能分析

Type: OpenClaw Skill Name: octool Version: 1.0.17 The 'octool' skill bundle is a visual configuration and backup assistant for OpenClaw. Analysis of 'oc-tool.html' reveals a well-documented, frontend-only utility that generates shell commands for the user to manually execute in their terminal. The developer has implemented several security best practices, including regex-based input sanitization (e.g., 'sanitizePath', 'sanitizeTag') to prevent shell injection and the use of 'sessionStorage' to ensure GitHub tokens are cleared when the browser tab is closed. The tool's behavior is strictly aligned with its stated purpose of managing backups and environment migrations, with no evidence of data exfiltration, hidden backdoors, or malicious prompt injection.

能力标签

requires-oauth-token

能力评估

✓ Purpose & Capability

Name, description and SKILL.md describe a local/browser backup and git-integration assistant. The provided html implements a frontend-only UI and explains GitHub PAT usage; there are no unrelated required binaries, env vars, or installs requested, so the requested footprint aligns with the stated purpose.

ℹ Instruction Scope

SKILL.md and the embedded oc-tool.html state the tool runs entirely in the browser, only reads files the user drags in, and only calls api.github.com when the user opts into Git mode. The tool also generates shell commands for manual execution. These instructions remain within scope, but the file makes strong claims about input sanitization and 'no other network calls' — those claims are plausible but should be validated by reviewing the full HTML/JS (e.g., search for fetch/XHR/WebSocket and any dynamic eval or encoded network endpoints).

✓ Install Mechanism

Instruction-only skill with no install spec and no code executed by the platform. No downloads, package installs, or archive extraction are present in the manifest — lowest-risk installation model.

✓ Credentials

No required environment variables or credentials declared. The only credential the tool optionally uses is a GitHub PAT provided by the user in-GUI and (per the code) stored in sessionStorage; that is proportional to the claimed GitHub write/read use. The SKILL.md recommends fine-grained PAT scopes, which is appropriate.

✓ Persistence & Privilege

Skill is not always-on and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide agent settings. Generated shell snippets write to ~/.bash_profile only when the user chooses to run them; that behavior is described and gated by manual copy/paste.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install octool
安装完成后，直接呼叫该 Skill 的名称或使用 /octool 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.17

**v1.0.17 Changelog** - Security: The GitHub Personal Access Token (PAT) is now stored in `sessionStorage` instead of `localStorage` for enhanced privacy; the token is automatically cleared when you close the browser tab. - Security: All shell command user inputs (paths, tags, commit messages, exclude patterns) are now strictly validated. Inputs containing shell metacharacters are rejected with an error. - Safety: The bash profile write command now includes an idempotent marker to guard against repeated execution. - Documentation: Updated privacy and security sections to reflect sessionStorage usage, more precise credential handling, and removal of all background file access outside of explicit user actions. - Usability: Proxy detection command improved; no longer uses dynamic code execution—ensuring only safe, read-only syscalls are generated.

v1.0.16

No file changes detected in this release. - No functional or documentation changes introduced. - Version increment only; all features and documentation remain unchanged.

v1.0.15

v1.0.15 - No file changes detected. - No functional, UI, or documentation updates in this release. - Behavior and features remain identical to the previous version.

v1.0.14

v1.0.14 - No code or documentation changes detected in this version. - Likely a metadata or version bump only; functionality remains as in previous release.

v1.0.13

v1.0.13 - No file or documentation changes detected in this version. - Functionality and documentation remain identical to the previous release.

v1.0.12

v1.0.12 - No changes detected in this release. - All features and documentation remain the same as the previous version.

v1.0.11

v1.0.11 is a documentation and disclosure update focused on security and transparency: - Clarified that GitHub token (PAT) is used only for two specific `api.github.com` calls (repo verify and file write); recommends fine-grained PAT limited to `Contents: Read and Write`. - Made documentation more precise on which files are targeted, emphasizing that all backup/restore commands are generated for manual execution only. - Added explicit disclosure that all generated shell (`sed`/`rsync`/`cp`/`git`) commands are display-only and never executed automatically by the tool.

v1.0.10

No file changes were detected in this release. - Version bumped to 1.0.10 with no code or documentation changes. - No user-facing changes or updates.

v1.0.9

No changes detected in this version. - No updates or modifications were made to the skill files or documentation.

v1.0.8

- Updated usage instructions in SKILL.md for greater clarity on how to launch the tool after installation. - Added guidance for users installed in a custom workspace, including fallback steps if the file path is unclear. - No code changes; documentation update only.

v1.0.7

- No user-visible changes in this release. - Version updated; content and functionality remain the same.

v1.0.6

- Added support for flexible custom backups: users can now intuitively add or remove extra folders/files for packaging via the drag-and-drop UI. - Expanded terminal command generation: now provides clear text examples for `oc` (startup), `oc-save` (backup with custom files), and `oc-rec` (restore specific versions). - Documentation updated to clarify new features and usage for both Chinese and English users.

v1.0.5

- Improved privacy by removing all external resource dependencies (e.g., Google Fonts) for true zero external requests. - Enhanced documentation describing local-only file reading: the tool now explicitly states it processes only user-provided files via drag-and-drop, without accessing other disk data. - Updated security instructions about credential storage, including guidance on least-privilege tokens and browser localStorage risks. - Clarified that all scripts and commands are always generated for manual review and execution—no automated system changes.

v1.0.4

- Added detailed privacy and security statements in both Chinese and English, explaining local-only execution, credential handling, and the manual script execution requirement. - Clarified that the tool neither runs background actions nor modifies files without user review and explicit manual execution. - No changes to underlying files or functionalities; documentation update only.

v1.0.3

No user-facing changes in this release. - Version bumped to 1.0.3 with no file or documentation updates detected.

v1.0.2

- Minor wording changes for clarity in documentation. - Updated descriptions to remove reference to background automation in Secure Configuration Wizard. - No functional or code changes; documentation only.

v1.0.1

- Updated documentation for clearer descriptions in both Chinese and English. - Emphasized manual, text-based configuration and backup commands rather than automated injection. - Clarified the tool’s functionality as a configuration assistant and environment migration aid. - Simplified feature list for easier understanding. - No code or file changes detected in this version.

v1.0.0

Initial Release 🚀 [CN] 新手第一个Openclaw备份Skill！安全纯本地运行，提供 Openclaw 工作区参数和数字分身（Agent）的安全可视化备份、恢复与环境无感注入。 [EN] My first Openclaw backup Skill! Provides secure visual backup, restoration, and seamless environment injection for Openclaw workspace parameters and digital personas (Agents).

元数据

Slug octool

版本 1.0.17

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 18

常见问题

OCTOOL for backup 是什么？

Openclaw Visual Configuration Assistant. Provides secure wizard for local/Git backup and workspace migration. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 303 次。

如何安装 OCTOOL for backup？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install octool」即可一键安装，无需额外配置。

OCTOOL for backup 是免费的吗？

是的，OCTOOL for backup 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

OCTOOL for backup 支持哪些平台？

OCTOOL for backup 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 OCTOOL for backup？

由 Donnieclaw（@donnieclaw）开发并维护，当前版本 v1.0.17。