ClawHub
Code Pluginsource linked

Openclaw Pluginv0.2.6

Cross-device sync for OpenClaw workspace (skills, memory, settings) via GitHub

any-sync·runtime any-sync·by @imink
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:any-sync
Latest release: v0.2.6Download zip

Capabilities

Tags
executes-code
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
any-sync

Compatibility

Built With Open Claw Version
2026.3.28
Plugin Api Range
1
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, skills, and code all correspond to a GitHub-based sync tool: hooks call autoPull/autoPush from an any-sync CLI, skills instruct use of gh and any-sync commands, and config fields (repo, branch, autoSync) match the stated purpose.
Instruction Scope
Runtime instructions are scoped to finding a config file, running npx any-sync commands, and operating on workspace files under the OpenClaw workspace. This is generally appropriate, but the SKILL.md repeatedly instructs the agent (or user) to run 'npx any-sync' which will fetch and execute code from the npm registry at runtime — a supply‑chain/remote‑execution surface that users should be aware of. The skills also tell the user to set GITHUB_TOKEN or use 'gh auth', which is necessary for GitHub access but means tokens will be used by the CLI.
!
Install Mechanism
The registry entry declares no install spec (instruction-only), yet package.json declares a dependency on '@any-sync/cli': '*' and the plugin code requires that module at runtime. This is an incoherence: either the environment must already provide the package or the runtime will rely on npx to fetch it. The dependency version is a wildcard ('*'), which increases supply‑chain risk because it does not pin a specific, reviewed release.
Credentials
The skill does not declare required environment variables in the registry, but the instructions legitimately ask users to provide a GITHUB_TOKEN or authenticate via the GitHub CLI (gh). That is proportional to the function, but users should be careful about token scope and storage. Also the plugin can read $HOME/.any-sync.json and .any-sync.lock (expected for config/lockfiles).
Persistence & Privilege
The skill does not request 'always: true' and only registers normal session_start/session_end hooks if autoSync is enabled in plugin config. It does not request system-wide privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) which is expected for hooks that auto-pull/push.
What to consider before installing
This plugin appears to do what it says (sync workspace files to/from GitHub), but there are two things to check before installing: (1) supply‑chain: the plugin relies on an '@any-sync/cli' implementation and its SKILL.md uses 'npx any-sync' — npx will fetch and run code from npm if not present locally. Verify the upstream project (https://github.com/imink/any-sync) and prefer a pinned, audited release rather than allowing '*' or on-the-fly npm installs. (2) credentials: the tool will use your GitHub credentials (GITHUB_TOKEN or gh-auth). Only enable autoSync if you trust the CLI and the repo (use a private repo if you want to avoid exposing workspace contents). As a precaution, review the '@any-sync/cli' package source, avoid broad token scopes, and back up your workspace before enabling automatic push/pull.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/imink/any-sync
Commit
f010a0baa9bf
Tag
main
Provenance
No
Scan status
pending

Tags

latest
0.2.6