SPIRIT State Sync

The OpenClaw AgentSkills bundle 'spirit' is designed to preserve AI agent identity and memory by syncing sensitive files (e.g., IDENTITY.md, memory/*.md) from the OpenClaw workspace to a user-configured private Git repository. This involves high-privilege operations including extensive file system access, network communication for Git operations, and persistence via cron jobs (SKILL.md, scripts/spirit-sync-cron.sh, references/cron-setup.md). While the stated purpose is legitimate backup, these capabilities inherently carry significant risk. Furthermore, the installation instructions for the 'spirit' CLI tool itself include a `curl -fsSL ... | bash` command (SKILL.md), which is a critical supply chain vulnerability and potential RCE risk, even if the skill bundle's immediate intent appears to be benign and includes security warnings.