Claw Sync

Secure sync for OpenClaw memory and workspace. Use /sync to push, /restore to pull, /sync-status to check. Supports versioned backups and disaster recovery.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 5 · 2.8k · 17 current installs · 18 all-time installs

by@arakichanxd

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

!

Purpose & Capability

The skill is a Git-backed backup/sync tool and the included scripts clearly require BACKUP_REPO and BACKUP_TOKEN stored at ~/.openclaw/.backup.env. However, the registry metadata lists no required environment variables or primary credential — a clear mismatch. Other than that omission, the requested capabilities (reading workspace files and pushing/pulling to a git repo) are consistent with the described purpose.

ℹ

Instruction Scope

Runtime instructions and scripts stay within the stated purpose (push/pull/list/status/setup). They read/write files under ~/.openclaw/workspace and copy entire skills/* directories into the backup. That is expected, but copying skills/* can unintentionally include sensitive files if other skills store secrets in files. The SKILL.md and code explicitly exclude openclaw.json and .env, which reduces some risk.

✓

Install Mechanism

No install spec — this is an instruction + code-only skill. All code is present in the package (no remote installs or URL downloads), which lowers supply-chain risk. There are duplicated files and nested copies (top-level vs claw-sync/), which is odd but not directly dangerous.

!

Credentials

The scripts need a high-privilege GitHub/GitLab token (read/write to the repo) and a repository URL — those are proportionate to performing backups. The concern is that the registry did not declare these required env vars. The code embeds the token into HTTPS git URLs for exec'd git commands (repo.replace('https://', `https://${token}@`)), which can expose the token in process arguments, temporary git configs, or if temporary staging/restore dirs are left behind. The code attempts to sanitize error output and cleans up staging dirs, but token leakage scenarios remain possible if something fails mid-run.

✓

Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide agent settings. Setup writes its own cron config to ~/.openclaw/cron/backup.json and suggests how to activate it; it does not force a system cron entry automatically. This level of persistence is expected for an auto-backup helper.

What to consider before installing

What to consider before installing: - Required secrets are not declared in the registry metadata: this skill needs BACKUP_REPO and BACKUP_TOKEN (stored in ~/.openclaw/.backup.env). The omission is a packaging/information risk — double-check you supply only the credentials you intend. - Use a minimal, revocable token in a private, dedicated repository: create a new private repo for backups and generate a fine-grained (or repo-scoped) token limited to that repository and to the minimum permissions required. Prefer revocable tokens so you can delete them quickly if needed. - Review what will be pushed: the tool copies workspace files and entire skills/* directories. Run a dry-run first (/sync --dry-run or node scripts/push.js --dry-run) to see exactly which files would be uploaded. Make sure no other skill stored secrets in file form under skills/ or workspace/ that you don't want off-machine. - Token handling risks: the scripts embed the token into git HTTPS URLs for exec'd commands. That is convenient but can leak tokens into process listings, temporary git configs, or logs if runs fail. To mitigate: run initial tests in a sandbox account or VM, monitor temporary folders (~/.openclaw/.sync-staging, .sync-restore, .local-backup) and delete them manually after successful runs, and prefer a short-lived token. - Check duplicates and packaging oddities: the package contains duplicated copies of the code (top-level and claw-sync/). That may be benign (packaging artifact) but is unusual — inspect which path your environment will execute (the SKILL.md points to node skills/claw-sync/index.js). - Cron/autosync: setup-cron only writes a config file and suggests activation; it does not enable system crontab by itself. Don't enable automatic scheduled backups until you've validated dry-run behavior and are confident about token scoping and which files are being uploaded. - If you proceed: run a dry-run, use a dedicated repo and token, review the code (push/pull scripts) yourself, test in an isolated environment, and rotate/delete the token after verifying functionality.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.2

Download zip

backupvk97a0j8bhybaqhs4ad63az5nk980d31fdisaster-recoveryvk97a0j8bhybaqhs4ad63az5nk980d31fgithubvk97a0j8bhybaqhs4ad63az5nk980d31flatestvk97a3ws8872rtewgsv00b0thed80ccgnmemoryvk97a0j8bhybaqhs4ad63az5nk980d31fsyncvk97a0j8bhybaqhs4ad63az5nk980d31f

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Claw Sync

Secure, versioned sync for OpenClaw memory and workspace.

Commands

/sync

Push your memory and skills to the remote repository.

/sync              → Push and create versioned backup
/sync --dry-run    → Preview what would be synced

/restore

Restore memory and skills from the remote repository.

/restore                        → Restore latest version
/restore latest                 → Same as above
/restore backup-20260202-1430   → Restore specific version
/restore latest --force         → Skip confirmation

/sync-status

Show sync configuration and local backup info.

/sync-status

/sync-list

List all available backup versions.

/sync-list

What Gets Synced

File	Description
`MEMORY.md`	Long-term memory
`USER.md`	User profile
`SOUL.md`	Agent persona
`IDENTITY.md`	Agent identity
`TOOLS.md`	Tool configs
`AGENTS.md`	Workspace rules
`memory/*.md`	Daily logs
`skills/*`	Custom skills

NOT Synced (security)

openclaw.json - Contains API keys
.env - Contains secrets

Setup Required

Create ~/.openclaw/.backup.env:

BACKUP_REPO=https://github.com/username/your-repo
BACKUP_TOKEN=ghp_your_token

Features

🏷️ Versioned - Each sync creates a restorable version
💾 Disaster Recovery - Local backup before every restore
🔒 Secure - No config files synced, token sanitization
🖥️ Cross-platform - Windows, Mac, Linux

Files

19 total

Select a file

Select a file to preview.

Comments

Loading comments…