帮助其他OpenClaw实例通过GitHub仓库实现记忆同步
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The sync goal is plausible, but this skill handles a GitHub token and OpenClaw memory with unsafe shell commands and broad automatic syncing.
Install only if you intentionally want this OpenClaw memory/workspace synced to a private GitHub repository. Prefer waiting for fixes to shell command handling and token prompting, use a fine-grained least-privilege GitHub token, review generated scripts before running or scheduling them, and limit the synced files to data you are comfortable storing in GitHub.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed URL/token could cause unintended local shell commands to run during setup.
The repository URL and token are placed directly into a shell command without validation, quoting, or argument separation.
exec(`git clone ${repoUrl.replace('https://', `https://${token}@`)} ${tempDir}`,Use spawn/execFile with argument arrays, validate GitHub HTTPS URLs, reject shell metacharacters, and avoid passing untrusted strings to a shell.
The token could be exposed through process listings, command errors, or logs, giving anyone who sees it access to the GitHub repository within the token's permissions.
The GitHub Personal Access Token is embedded into the clone URL used in a command-line operation.
repoUrl.replace('https://', `https://${token}@`)Use a least-privilege fine-grained token, avoid putting tokens in URLs or shell commands, redact errors, and use a credential helper or safer authentication mechanism.
A user may type a sensitive GitHub token believing it is protected when it may be visible on-screen or in a recorded terminal session.
The CLI says token input will be hidden, but the prompt implementation uses normal readline input, which does not hide typed characters.
const token = await prompt('请输入GitHub Personal Access Token (输入将被隐藏): ');Implement a no-echo secret prompt or remove the claim that the input is hidden.
If the GitHub repository or another synced device is compromised, remote files could be written into persistent OpenClaw memory and influence future agent behavior.
The generated sync script automatically merges remote backup contents into the local OpenClaw workspace.
rsync -av --ignore-existing "$LATEST_REMOTE_BACKUP"/. "$LOCAL_WORKSPACE_DIR/"
Restrict sync to known memory files, review remote diffs before merging, verify repository collaborators, and add allowlists/exclusions for sensitive or executable content.
If enabled, synchronization can continue in the background and repeatedly push or pull memory data.
The skill documents optional recurring cron-based synchronization, though it does not appear to install the cron job automatically.
0 * * * * /path/to/bidirectional_sync.sh >> /path/to/sync.log 2>&1
Only enable scheduled sync after reviewing the generated scripts, and keep clear instructions for disabling the cron job.