Avenger Initiative
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent backup tool, but it uses broad GitHub/account authority, backs up agent memories and skills in plaintext, and installs ongoing automatic backups, so users should review it carefully before installing.
Install only if you are comfortable giving this skill access to your OpenClaw files and GitHub vault. Use a private repository, confirm your GitHub CLI account has minimal necessary access, protect the vault with 2FA/branch controls, review what plaintext files are backed up, and disable the cron job if you do not want ongoing automatic backups.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private agent memories, identity files, and custom skill code may be stored in plaintext in the GitHub vault and later reused or restored into the agent environment.
The skill explicitly backs up memories, identity files, agent files, and custom skills, while stating that only openclaw.json is encrypted. These files can contain sensitive user context or instructions even if the documentation assumes they contain no secrets.
- 🧠 All memory logs and workspace files (SOUL, IDENTITY, MEMORY, TOOLS) - 👥 Per-agent files for all agents - 🔧 All custom skills ... - All other files → plaintext (no secrets)
Use a private vault, review what is copied before enabling automatic backups, consider encrypting memory and skill files too, and exclude any files that may contain secrets or sensitive user data.
The skill can use the user's GitHub CLI authentication, and the token may be temporarily exposed through command arguments or temporary git configuration during setup.
Setup reads the local GitHub CLI token and embeds it into a clone URL. GitHub access is expected for this tool, but using the raw token in a command URL is broader and more exposed than the safer gh repo clone pattern described elsewhere.
GH_TOKEN=$(gh auth token)
REPO_URL=$(echo "$VAULT_REPO" | sed "s|https://|https://${GH_TOKEN}@|")
VAULT_DIR="/tmp/avenger-setup-$$"
git clone --quiet "$REPO_URL" "$VAULT_DIR"Use a least-privilege GitHub account or token for the vault, confirm gh auth scopes before setup, and prefer an implementation that uses gh repo clone without embedding tokens in URLs.
Backups will continue running every night and uploading the selected OpenClaw data to the configured GitHub vault until the cron job is removed or disabled.
Setup creates an enabled scheduled job that continues invoking the backup command nightly. This is consistent with the advertised backup purpose, but it is persistent autonomous activity.
"enabled": True,
"schedule": {"kind": "cron", "expr": "0 2 * * *", "tz": "UTC"},
"payload": {
"kind": "systemEvent",
"text": "🛡️ Avenger nightly backup: Run this exact command now and confirm when done: bash $SKILL_DIR/backup.sh"
}Install only if you want recurring backups, and verify or disable the Avenger cron job if you no longer want automatic uploads.
A restore can change how the OpenClaw system behaves across future sessions by replacing memory, scheduled jobs, and custom skills.
Restore can overwrite cron jobs, memories, and installed skills from the vault. It asks for confirmation, so this is purpose-aligned, but a compromised or stale vault snapshot could propagate bad agent state or unsafe skills.
cp "config/cron-jobs.json" "$OPENCLAW_DIR/cron/jobs.json" ... for mf in workspace/memory/*.md; do [ -f "$mf" ] && cp "$mf" "$WORKSPACE_DIR/memory/$(basename $mf)" || true; done ... cp -r "$skill_dir"* "$WORKSPACE_DIR/skills/$skill_name/"
Before restoring, verify the vault branch and recent commits, keep the vault private with strong account security, and consider making a full local backup of the current OpenClaw directory.
Users may assume non-openclaw.json files are harmless, even though they can contain private conversations, business context, instructions, or accidentally copied secrets.
The documentation correctly discloses plaintext storage, but the assurance that these files are safe to read directly can understate the privacy risk of storing agent memories, identity files, and custom skill content in a remote repository.
Everything else (SOUL.md, MEMORY.md, etc.) → plaintext in your private repo ... Everything else is plain text — safe to read directly in GitHub.
Treat all backed-up agent memory and skill files as sensitive, review the vault contents, and do not rely on the private GitHub repo as the only protection for plaintext files.