Openclaw Plugin
Security checks across malware telemetry and agentic risk
Overview
This plugin clearly does workspace syncing through GitHub, but it also enables silent automatic pull/push of skills, memory, and settings by default, which can change local agent behavior and upload sensitive workspace content without per-session review.
Install only if you intentionally want your OpenClaw skills, memory, and settings synced through GitHub. Use a private repository, restrict GitHub credentials, review the synced paths, and consider turning off autoSync until you are comfortable with automatic session start/end pulls and pushes.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Workspace files may be downloaded from GitHub or uploaded to GitHub automatically at session boundaries, without the user reviewing each operation.
Auto-sync is enabled by default unless explicitly disabled, and the plugin runs pull/push operations automatically through lifecycle hooks.
const autoSync = api.pluginConfig?.autoSync !== false; ... api.registerHook('session_start', ... autoPull()); ... api.registerHook('session_end', ... autoPush());Disable autoSync by default or require clear opt-in and per-run confirmation for pushes and potentially destructive pulls.
If the GitHub repo is public, shared, or compromised, private memory/settings could leak or poisoned skills/settings could be pulled back into the agent’s workspace.
The synced content includes persistent memory, skills, and identity/config files that can influence future agent behavior and may contain sensitive personal or workspace context.
Ask the user which items to sync (default: all three): - Skills (`~/.openclaw/workspace/skills`) - Memory (`~/.openclaw/workspace/memory`) - Config files (`AGENTS.md`, `SOUL.md`, `USER.md`, `TOOLS.md`, `IDENTITY.md`)
Use only a private, trusted repository; review what paths are synced; and consider adding explicit exclusions, integrity checks, and user review before applying pulled skills or identity/config files.
A changed or compromised dependency version could affect what files are read, written, or pushed to GitHub.
The core sync implementation is delegated to an unpinned package version, so future installs may execute different dependency code than the reviewed artifact.
"dependencies": {
"@any-sync/cli": "*"
}Pin @any-sync/cli to an exact reviewed version and include a lockfile or provenance information.
The plugin will rely on GitHub account access to read/write the configured sync repository.
GitHub authentication is expected for a GitHub sync tool, but the registry metadata declares no required credentials or environment variables.
Option A: Set `GITHUB_TOKEN` environment variable - Option B: Run `gh auth login` to authenticate with GitHub CLI
Use a minimally scoped GitHub token or GitHub CLI login limited to the intended private sync repository, and update metadata to disclose this requirement.