帮助其他OpenClaw实例通过GitHub仓库实现记忆同步
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cross-device-sync Version: 1.0.0 This skill is classified as suspicious due to its extensive use of `child_process.exec` to run powerful shell commands, including `git`, `rsync`, `cp`, and `rm -rf`, as seen in `index.js`. It generates and writes executable shell scripts (`bidirectional_sync.sh`, `upload_to_github.sh`) to the user's file system, which then perform file system modifications and Git operations. While these actions are aligned with the stated purpose of a 'cross-device sync' skill, the broad capabilities, direct handling of a GitHub Personal Access Token (PAT) for authentication, and the use of `rm -rf` (even if scoped to backups) present significant security risks if the skill were to be compromised or misused. There is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or covert persistence, but the high-risk capabilities warrant a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed URL/token could cause unintended local shell commands to run during setup.
The repository URL and token are placed directly into a shell command without validation, quoting, or argument separation.
exec(`git clone ${repoUrl.replace('https://', `https://${token}@`)} ${tempDir}`,Use spawn/execFile with argument arrays, validate GitHub HTTPS URLs, reject shell metacharacters, and avoid passing untrusted strings to a shell.
The token could be exposed through process listings, command errors, or logs, giving anyone who sees it access to the GitHub repository within the token's permissions.
The GitHub Personal Access Token is embedded into the clone URL used in a command-line operation.
repoUrl.replace('https://', `https://${token}@`)Use a least-privilege fine-grained token, avoid putting tokens in URLs or shell commands, redact errors, and use a credential helper or safer authentication mechanism.
A user may type a sensitive GitHub token believing it is protected when it may be visible on-screen or in a recorded terminal session.
The CLI says token input will be hidden, but the prompt implementation uses normal readline input, which does not hide typed characters.
const token = await prompt('请输入GitHub Personal Access Token (输入将被隐藏): ');Implement a no-echo secret prompt or remove the claim that the input is hidden.
If the GitHub repository or another synced device is compromised, remote files could be written into persistent OpenClaw memory and influence future agent behavior.
The generated sync script automatically merges remote backup contents into the local OpenClaw workspace.
rsync -av --ignore-existing "$LATEST_REMOTE_BACKUP"/. "$LOCAL_WORKSPACE_DIR/"
Restrict sync to known memory files, review remote diffs before merging, verify repository collaborators, and add allowlists/exclusions for sensitive or executable content.
If enabled, synchronization can continue in the background and repeatedly push or pull memory data.
The skill documents optional recurring cron-based synchronization, though it does not appear to install the cron job automatically.
0 * * * * /path/to/bidirectional_sync.sh >> /path/to/sync.log 2>&1
Only enable scheduled sync after reviewing the generated scripts, and keep clear instructions for disabling the cron job.