OpenClaw Git Backup
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for Git backups, but it will set up an ongoing job that commits and pushes repository contents and may store a GitHub push token.
Use this only for a repository you intentionally want backed up to the configured remote. Review the first run, confirm the branch and excludes, avoid committing secrets, use a limited GitHub token if needed, and periodically check or disable the cron job.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files added, modified, or deleted in the repo can be committed and pushed to the remote repository automatically.
The script stages repository changes and pushes the current HEAD to the configured remote branch. This is expected for a backup skill, but it is meaningful write/publish authority.
git add -A -- . "${exclude_args[@]}" ... git push --porcelain "$remote" "HEAD:${branch}"Before enabling the job, verify the repo path, remote, branch, and exclude patterns; make sure the remote is the intended backup destination.
A stored token could allow pushes to the configured repository if exposed or over-scoped.
The skill supports storing a GitHub HTTPS token for push authentication. It is disclosed, user-provided, and permission-restricted, but it remains sensitive credential handling.
If the user explicitly provides a GitHub HTTPS token, prefer repo-local credential storage ... chmod 600 <repo-root>/.git/credentials
Use a least-privilege token limited to the intended repo, keep the repository private if appropriate, and rotate or revoke the token when the backup job is no longer needed.
Future repository changes may be committed and pushed on the configured schedule without another interactive approval.
The skill is designed to create a recurring OpenClaw cron job. This persistence is disclosed and aligned with backups, but it means the automation continues after setup.
Recommended env wrapper ... bash -lc '<runtime-script> <repo-root>' ... schedule: user preference ... timeoutSeconds: 600
Review the cron schedule after installation, enable alerts if desired, and disable or delete the job when automated backups are no longer wanted.
Users rely on the packaged artifact itself rather than an independently verifiable upstream source.
The executable shell script is bundled and reviewable, but the registry does not identify an external source or homepage for provenance.
Source: unknown; Homepage: none; Code file presence: scripts/nightly_git_backup.sh
Inspect the bundled script before use and pin the skill version if deploying it in an important repository.