OpenClaw Backup & Restore — Encrypted OpenClaw Snapshots

This skill appears to do exactly what it claims: create GPG-encrypted backups of ~/.openclaw and push them to a private GitHub repository. Before installing or running it, consider the following: - Credentials: You must provide BACKUP_PASSWORD and a GITHUB_PAT. The PAT should be created with the minimum necessary scope (prefer a PAT limited to the specific repo if possible), stored securely, and rotated if compromised. The scripts use a temporary askpass helper to avoid exposing the PAT in process listings, but the PAT still grants repository access while used. - Protect your passphrase: BACKUP_PASSWORD decrypts all backups. Keep it secret and backed up separately; if lost, backups are unrecoverable. - Confirm what will be backed up: The code excludes .env files but will archive all other files under ~/.openclaw. Verify that no additional sensitive secrets or keys (beyond .env) live in that folder before backing up to GitHub, even in encrypted form. - Repository ownership & privacy: Backups are pushed to a GitHub repo you control. Ensure the repo is private and the account/organization usage matches your security policy. If you prefer not to use a PAT, consider adjusting the workflow to use a deploy key or machine account (requires code changes). - Binaries expectation: The metadata did not declare required binaries, but the scripts require git, gpg (and tar). Make sure those are available on target machines. - Review & test: Inspect the included scripts and run setup in an attended session on a non-production workspace first to confirm behavior. After setup, verify that backups are present in the expected repo and that restore works before relying on the system. If you want additional checks, provide the service/account you plan to use for the GitHub repo and I can suggest minimal PAT scopes or alternatives (deploy keys, GitHub Actions, etc.).