GitHub Memory Sync
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: github-memory-sync Version: 1.1.0 The skill is designed to sync sensitive OpenClaw workspace files (including identity, memory, and tool configurations) to a GitHub repository. It is classified as suspicious because `cron-backup.sh` contains a hardcoded default repository (`davinwang/openclaw-memory`), which could lead to unintentional data exfiltration of private information to the author's repository if the user does not correctly override the `GITHUB_REPO` environment variable. Furthermore, `sync.sh` handles the GitHub Personal Access Token by embedding it directly into the Git remote URL, a practice that exposes sensitive credentials to process monitoring and command history.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If cron is enabled without an explicit repository setting, private OpenClaw memory and configuration may be pushed toward a repository the user did not choose.
The scheduled backup script falls back to a specific GitHub repository if GITHUB_REPO is not set, then runs a full workspace push. That conflicts with the user-selected-repository model and could send sensitive backup contents to an unintended destination.
GITHUB_REPO="${GITHUB_REPO:-davinwang/openclaw-memory}" ... export SYNC_MODE="full" ... bash "$SYNC_SCRIPT" pushRemove the hard-coded repository fallback, require GITHUB_REPO explicitly, show the target repo before every push, and use placeholders rather than real-looking defaults in cron examples.
A broad GitHub token could read or write repositories beyond the intended backup repo if over-scoped or mishandled.
The skill requires a GitHub token with repository read/write authority. This is expected for backup, but it is high-impact authority and the supplied registry requirements say no primary credential or required environment variables.
GitHub Token: - 需要一个 Personal Access Token - 权限要求:`repo`(仓库读写权限)
Use a fine-grained GitHub token limited to the single private backup repository, declare the credential requirement in registry metadata, and avoid storing long-lived broad tokens.
Backups may contain personal information, agent identity/personality, long-term memory, and tool configuration details.
The skill clearly discloses that it syncs persistent memory and configuration files marked as highly sensitive. This is purpose-aligned, but it means private context and tool details can leave the local workspace.
SOUL.md ... 🔒 高; IDENTITY.md ... 🔒 高; USER.md ... 🔒 高; MEMORY.md ... 🔒 高; TOOLS.md ... 🔒 高; memory/*.md ... 🔒 高
Review the files before upload, use a private repository, exclude secrets, and rotate any credentials that may already be present in memory or tool files.
Restoring from an untrusted or mistaken repository could overwrite local memory, identity, tool notes, or skills and affect later agent sessions.
The restore path copies remote memory/config files and skills back into the workspace. That is expected for migration, but a wrong or compromised backup can propagate persistent changes into future agent behavior.
cp "$file" "$WORKSPACE_DIR/$file" ... cp -r skills/* "$WORKSPACE_DIR/skills/"
Review diffs before pull/restore, keep a local backup, and restore only from a trusted private repository.
Once enabled, the system may continue uploading workspace changes daily without asking again.
The documentation instructs users how to create a recurring cron job. This persistence is disclosed and optional, but it keeps performing backups after the initial setup.
30 2 * * * /root/.openclaw/workspace/skills/github-memory-sync/cron-backup.sh
Enable cron only if recurring backups are desired, document where the cron job is installed, and remove or disable it when no longer needed.
Users may be confused about which code will run or may rely on stale setup instructions.
The skill documentation references a Python helper path that is not in the provided file manifest, while the package actually includes shell scripts. This is a packaging/documentation inconsistency rather than proof of malicious behavior.
scripts/sync_to_github.py - 同步脚本 ... python scripts/sync_to_github.py push
Align SKILL.md, README, clawhub.yaml, and the manifest so the declared entry point, helper files, environment variables, and examples match the packaged files.