GitHub Memory Sync

This skill's functionality matches its description, but it contains insecure defaults and packaging mistakes you should address before using it on sensitive data. Key actions to consider before installing or running: - Do not paste a long-lived PAT into crontab or /etc/environment. Use short-lived tokens or a deploy key with minimal scope when possible, and rotate tokens after testing. - The scripts build an HTTPS URL with the token embedded. That can leave tokens in .git/config or process contexts. Prefer using a credential helper, the GitHub CLI (gh auth), or SSH deploy keys instead of embedding tokens in URLs. Remove credentials from .git/config after pushes. - The scripts copy many files and do not explicitly exclude openclaw.json or other config files; add explicit excludes (e.g., a .gitignore or modify copy_workspace_files to skip openclaw.json, any secrets/ or tokens files) and verify the repo contents before pushing. - Avoid backing up sensitive channel credentials; manually review files to be synced or run the script with --memory-only if you only need memory files. - Fix manifest mismatches (registry env metadata vs clawhub.yaml, and license mismatch) or request a corrected package from the author before trusting it. - If you must use automation, prefer a systemd timer running a wrapper that loads credentials from a protected file with restricted permissions (not crontab), and ensure /var/log/openclaw-memory-sync.log is set with appropriate permissions and log-rotation. If you cannot verify or modify the scripts, treat this skill as high-risk for accidental credential exposure and do not use it with production secrets or channel tokens.