Claw Roam
PassAudited by ClawScan on May 10, 2026.
Overview
Claw Roam appears to do its stated Git-based workspace sync, but it broadly syncs sensitive OpenClaw memories, skills, and configs, so it should be used only with a trusted private repository.
Before installing, make sure you are comfortable storing your OpenClaw workspace in the configured Git remote. Use a private trusted repository, review `git status` before pushes, add .gitignore exclusions for secrets and local-only files, and be cautious with the optional cron auto-push.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your OpenClaw memories, personality, skills, and device-related context may be stored in Git and reused on other machines.
The skill intentionally syncs persistent agent memory, personality, installed skills, and configuration-like files, which can contain sensitive context and affect future agent behavior.
Synced (preserved across machines): - `SOUL.md` ... - `MEMORY.md` ... - `memory/*.md` ... - `skills/` - All installed skills ... - `TOOLS.md`
Use a private trusted repository, review diffs before pushing, and add .gitignore rules for secrets, tokens, local databases, or files you do not want preserved in Git history.
Files newly created under the OpenClaw workspace could be committed and pushed if they are not ignored.
The push workflow stages all workspace changes and sends them to the configured Git remote. This is purpose-aligned, but broad by default.
git add -A ... git commit -m "$message" ... git push
Run `git status` or `claw-roam status` before pushing, maintain a careful .gitignore, and avoid storing secrets in the synced workspace.
A bad memory edit, unwanted skill change, or accidental deletion could spread across devices through the shared Git branch.
The sync workflow merges the current machine branch into the shared main branch, so mistakes or unwanted changes can propagate to other synced machines.
git merge "$current_branch" -m "sync: merge $current_branch -> main" ... git push origin "$main_branch"
Keep backups, review commits before merging to main, and consider branch protection or manual pull requests for important workspaces.
If enabled, workspace changes may be uploaded every 10 minutes, including accidental files that Git does not ignore.
The documentation suggests an optional cron job that would repeatedly push workspace changes without per-run review if the user installs it.
Or let it auto-push via cron: ```bash */10 * * * * cd ~/.openclaw/workspace && git add -A && git commit -m "auto: $(date)" && git push ```
Only add the cron job if you really need automatic sync, and first configure exclusions and monitoring for the repository.
Installation or use may fail or behave differently if Git is unavailable or if the `claw-roam` command is not installed as expected.
The included helper script depends on Git operations, while the registry metadata declares no required binaries and no install spec. This is a metadata completeness issue.
git fetch origin ... git pull origin $(git branch --show-current) ... git push origin "$current_branch"
Confirm Git is installed, inspect the script before use, and verify the installed command points to this reviewed script.