Git Backup
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated backup purpose, but it can silently push broad private workspace data to GitHub and uses a powerful GitHub token in risky ways.
Only install or use this if you are comfortable sending your OpenClaw workspace to a private GitHub repository. Use a fine-grained token limited to the backup repo, review exactly what will be committed, strengthen .gitignore, and avoid silent scheduled backups unless you explicitly want them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GitHub token with broad repo access could expose or modify private repositories if mishandled, leaked through local config, or reused outside the intended backup repository.
The skill looks for GitHub tokens in local credential-like files and shell configuration, asks for a broad full-repo PAT, stores it in plaintext under ~/.credentials, and embeds it in the git remote URL.
Check credential files ... ~/.credentials/github*.txt ... Check ~/.bashrc for embedded token ... Required permission: repo (full) ... echo "$TOKEN" > ~/.credentials/github-token.txt ... https://${TOKEN}@github.com/...Use a fine-grained GitHub token limited to one private backup repository, avoid embedding the token in remote URLs, store credentials through a proper credential helper, and require explicit approval before reading local credential files.
Private memories, configuration, notes, and potentially sensitive workspace data may be copied to GitHub and retained in git history.
The skill stages all changes and explicitly includes memory, notes, installed skills, learnings, data, and configuration, which can contain sensitive user context or agent instructions.
git add -A ... Always include: MEMORY.md, SOUL.md, AGENTS.md, TOOLS.md, PA_LIST.md ... memory/ ... skills/ ... .learnings/ ... data/ ... config/
Before enabling this, restrict the backup to specific safe paths, review .gitignore carefully, run git status/diff before each push, and verify the GitHub repository is private with appropriate retention controls.
The agent could continue pushing workspace changes in the background without the user noticing each backup or reviewing what changed.
The documented cron configuration creates ongoing autonomous backups every six hours and explicitly uses silent delivery.
"schedule": "0 */6 * * *" ... "task": "Run git backup of the workspace to GitHub. Use the git-backup skill. Commit all changes and push. Report DONE or BLOCKED." ... "mode": "silent"
Do not enable the cron job unless you want ongoing background backups; prefer visible notifications, manual approval, or a dry-run review before each push.
Unintended files, secrets, or unwanted changes could be committed and pushed to the remote repository.
The regular backup flow stages every change in the workspace and pushes it, with no required file-by-file review or confirmation step.
git add -A ... git commit -m "Auto backup $DATE" ... git push origin main
Add a mandatory git status/git diff review and require user confirmation before committing and pushing broad workspace changes.
A tampered .context file could run commands before the backup process.
Sourcing a local .context file is a shell execution mechanism; if that file is modified, its contents execute as shell code.
CONTEXT_FILE="/opt/ocana/openclaw/workspace/skills/git-backup/.context" ... [ -f "$CONTEXT_FILE" ] && source "$CONTEXT_FILE"
Treat the .context file as trusted code, keep it user-controlled, and prefer parsing simple key-value configuration instead of using shell source.