Openclaw Github Sync
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent and purpose-aligned, but its default setup can regularly push broad agent memory, skills, and persona files to GitHub and can pull back changes that alter agent behavior.
Install only if you are comfortable syncing agent context to a private GitHub repo. Before enabling nightly sync, edit references/export-manifest.txt to include only reviewed non-sensitive files, use least-privilege GitHub credentials, inspect the generated repo, and treat any pull as a high-risk operation that requires human review and preferably a dry run.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private memories, prompts, notes, or skill code could be committed to remote Git history if they are in these directories, even if the repo is private and a heuristic secret scan runs.
The default allowlist exports broad persistent agent context, including all memory and skills, into a Git repository that is then pushed remotely. This is materially broader than a narrowly curated non-sensitive subset.
AGENTS.md IDENTITY.md SOUL.md TOOLS.md USER.md # Skills (add more as you create them) skills/ # Memories memory/
Before scheduling sync, narrow the manifest to specific reviewed files, preferably memory/public/ and selected skills only; review the first exported repo manually and do not rely on the secret scanner as complete data-loss prevention.
If the sync repo or review process is compromised, a manual pull could change how the agent behaves in later tasks.
The skill accurately discloses that pulled repository content can become future agent instructions or tools.
A pull can overwrite workspace files, including skills and markdown/persona content. Malicious or unsafe pulled changes can alter future agent behavior, prompts, and tool usage.
Only run pulls after explicit human request and review, use PULL_DRY_RUN=1 first, keep pull out of cron, and consider branch protection or signed commits for the sync repo.
Allowlisted workspace content may be uploaded repeatedly on a schedule without per-run human review.
The skill intentionally creates recurring automated activity. It is disclosed and limited to push sync, but it persists beyond a single user command.
Schedule a nightly OpenClaw cron `agentTurn` that runs push sync only (`scripts/sync.sh`) and reports success/failure. Do not schedule `pull.sh` or `context.sh pull`.
Schedule push automation only after narrowing the export manifest and confirming the private repo and secret-scan behavior; never schedule pull.
The skill can act through your GitHub credentials for repo creation and pushes, which is expected for this integration but should be least-privileged.
The helper uses the currently authenticated GitHub CLI identity to create a repository, and the sync workflow also requires SSH/auth access to push.
gh repo create "$REPO_NAME" --private --confirm
Use a dedicated private repo, least-privilege deploy key or bot account, and avoid giving the sync credentials access to unrelated repositories.
Setup may be ambiguous or require manual environment-file creation; this is not evidence of malicious behavior, but it is an incomplete packaging signal.
The supplied file manifest does not include references/.env.example, so the setup instructions reference a file absent from the reviewed artifacts.
Copy the example env file: `cp references/.env.example references/.env`
Verify the upstream repository contents before installing and create references/.env manually with only the needed SYNC_REMOTE and scoped path settings.