← 返回 Skills 市场
197
总下载
0
收藏
0
当前安装
8
版本数
在 OpenClaw 中安装
/install openclaw-webdav-backup
功能描述
Backup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV uplo...
安全使用建议
This package appears to implement the described backup features, but review the following before running it:
- Supply your own WebDAV credentials and consider using --encrypt-config before any remote upload. The scripts expect WEBDAV_URL/WEBDAV_USER/WEBDAV_PASS (via .env.backup or env vars) and a decryption password (BACKUP_ENCRYPT_PASS or .env.backup.secret) for encrypted config — the registry metadata did not list these required inputs.
- Inspect ~/.openclaw/openclaw.json: the notify script will try to read it to auto-fill a Telegram bot token if you didn’t provide one. If you do not want the backup tool to read or use tokens stored there, set BACKUP_NOTIFY=0 and explicitly supply tokens only in the notify env file when needed.
- Run a dry-run locally (no --upload) and inspect what files would be archived and what is excluded. Confirm the exclude lists (.env.backup, .env.backup.secret) and that no other secrets are being packaged unintentionally.
- Because the package is script-based, run it in a controlled environment (or a VM/container) first to confirm behavior and to audit logs and network calls. Check the notification scripts (Telegram/WeCom/Feishu) to ensure they only call the expected endpoints when enabled.
- If you need higher assurance, request an explicit manifest from the publisher that lists expected environment variables and any paths the skill will read (especially ~/.openclaw/openclaw.json).
功能分析
Type: OpenClaw Skill
Name: openclaw-webdav-backup
Version: 1.2.7
The skill is classified as suspicious due to high-risk implementation patterns and potential vulnerabilities. Specifically, `openclaw-restore.impl.sh` and `openclaw-backup.impl.sh` utilize `eval` for command execution, which presents a shell injection risk if variables are not properly sanitized. The skill's core functionality involves accessing sensitive configuration data (`openclaw.json`), encrypting it, and transmitting it to external WebDAV and notification endpoints (Telegram, WeCom, and Feishu). While these actions are aligned with the stated purpose of a backup and migration utility, the combination of broad file system access, network exfiltration of secrets, and insecure shell coding practices warrants a cautious classification.
能力评估
Purpose & Capability
The name and description match the scripts and documentation: it implements local backups, incremental strategies, optional config encryption, WebDAV upload, and notifications. However the registry metadata claims 'Required env vars: none' while the implementation expects .env.backup, .env.backup.secret and various BACKUP_* and WEBDAV_* variables — the mismatch is a documentation/manifest inconsistency that should be clarified.
Instruction Scope
Most runtime instructions stay within the backup/restore scope. Notable scope creep: the notify script will attempt to read ~/.openclaw/openclaw.json to extract a Telegram bot token if no token is supplied explicitly. Reading the user's main OpenClaw config to auto-discover bot tokens or other secrets is a convenience but also a privacy risk because that file may contain other service tokens/credentials. The scripts also access standard system paths (HOME, ~/.openclaw) and expect .env files; they exclude .env.backup and .env.backup.secret from archives which is good practice.
Install Mechanism
There is no network install step or download-from-URL; the package includes shell scripts and libraries. No install spec present (instruction-only/packaged scripts). This keeps install risk low — nothing will automatically fetch/extract remote code — but running the included scripts will execute the packaged code on disk.
Credentials
Although registry metadata lists no required env vars, the scripts rely on several sensitive environment values and files (.env.backup with WEBDAV_URL/USER/PASS, .env.backup.secret or BACKUP_ENCRYPT_PASS, BACKUP_NOTIFY* tokens). Requiring WebDAV credentials and an optional encryption password is proportional to the stated purpose, but the silent fallback behavior (reading ~/.openclaw/openclaw.json for Telegram tokens) increases the blast radius by allowing the tool to access stored tokens that the user may not expect it to use. The number of optional variables is moderate and mostly justified, but the manifest should explicitly declare them.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configuration. It writes backups, logs, snapshots and temporary files under the user's workspace and ~/.openclaw which is expected for a backup tool. It uses file locking and cleanup traps; no evidence it tries to persist beyond normal backup artifacts.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-webdav-backup - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-webdav-backup触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.7
Add restore verification mode (--verify-restore/--test-restore), validate checksums and encrypted config recovery safely, and remove internal ROADMAP.md from published package.
v1.2.6
Enterprise notifications, WebDAV retry hardening, set -e fixes, explicit compressor selection fixes, env override fixes, and changelog updates
v1.2.3
Fixed local keyword errors, gzip compression, and trap scope issues that caused backup failures
v1.2.2
Security fixes (path safety, race conditions, token masking), reliability improvements (disk check, integrity verification, SHA-256 checksums), optimizations (pipefail, zstd compression, cleanup library)
v1.2.1
Add dependency check (--check-deps) for pre-restore verification
v1.2.0
Diff Preview, Portable Export, Environment Templating, Operation Logging, Migration Scripts
v1.1.0
Incremental backups (smart/daily/hourly strategies), backup version management (list/latest/delete), integrity verification, health checks
v1.0.0
Initial public release: OpenClaw backup and restore with optional config encryption, WebDAV upload, retention, cron scheduling, restore drill guidance, and Telegram notifications for scheduled runs.
元数据
常见问题
OpenClaw WebDAV Backup 是什么?
Backup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV uplo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 197 次。
如何安装 OpenClaw WebDAV Backup?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-webdav-backup」即可一键安装,无需额外配置。
OpenClaw WebDAV Backup 是免费的吗?
是的,OpenClaw WebDAV Backup 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
OpenClaw WebDAV Backup 支持哪些平台?
OpenClaw WebDAV Backup 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw WebDAV Backup?
由 ifox2046(@ifox2046)开发并维护,当前版本 v1.2.7。
推荐 Skills