ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitClaw

v1.0.0

Back up the OpenClaw agent workspace to a GitHub repo and keep it synced via a cron-driven commit/push script.

6· 3.5k·15 current·15 all-time
byMariano Pardo@marian2js
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (backup OpenClaw workspace to GitHub) aligns with the instructions to initialize a git repo, create or connect a GitHub repo, and set up scheduled commits/pushes. However, the scope of actions (installing system packages with sudo, enabling system services, running gh auth flows, and scheduling cron jobs) is broader than many users would reasonably expect from a simple "backup" helper and should be explicitly justified/consented to.
!
Instruction Scope
SKILL.md instructs the agent to run system package managers (brew/apt/dnf/yum/pacman/zypper/apk), enable/start system services, run gh auth (device/browser login), initialize and add all files from the workspace directory, and create a cron-driven commit/push script. It also contains an explicit behavioral rule to "Do everything automatically and quietly," which grants the agent discretion to perform privileged installs and persistent exfiltration of workspace contents with minimal user interaction. The instructions therefore exceed the narrow scope of safely backing up a curated set of files and would read/write system-level configuration and potentially transmit private data to GitHub.
Install Mechanism
There is no formal install spec (instruction-only), which is lower risk in one sense, but the runtime instructions explicitly call system package managers and download the official GitHub CLI keyring (official URLs). That avoids third-party binary hosting, but still directs automated use of sudo and system installs — a high-impact action that should require explicit user approval.
!
Credentials
The skill requests no declared environment variables, but it requires GitHub authentication via gh (device/browser flow) and will push the entire workspace to a user-chosen GitHub repo. This is functionally required for backups, but the level of access (push rights to a repo that will contain your agent workspace) is high and can expose secrets stored in the workspace. The SKILL.md forbids asking for a PAT (prefers gh), which is reasonable, but does not limit which files are committed or require user review of contents prior to push.
!
Persistence & Privilege
The skill instructs creation of a cron job and a commit/push script (persistent presence on the host). The skill metadata does not set always:true, but it leaves model invocation enabled (disable-model-invocation not set), and the SKILL.md explicitly tells the agent to act "automatically and quietly" when installed or referenced. That combination allows the model to trigger persistent, automated backups (and therefore repeated exfiltration) without clear, repeated explicit consent.
What to consider before installing
This skill will attempt system-level installs (using sudo), enable/start services, run the GitHub CLI auth flow, initialize a git repo in your agent workspace, and create a cron job that regularly commits and pushes the entire workspace to GitHub. That can inadvertently publish secrets or other private data and makes persistent changes to the system. Before installing, consider: (1) Inspect the workspace contents and add strict .gitignore entries or prune sensitive files; (2) prefer a private repo and review the first commit before pushing; (3) require explicit user approval for every privileged install or script creation (the skill currently says to act quietly); (4) if you want to limit autonomous behavior, set disableModelInvocation: true or avoid referencing the skill except when you explicitly run it; (5) if you need this functionality, consider running the setup steps manually or adapt the script so the user must confirm each privileged action and review commit contents. If you do not fully trust the skill source or do not want persistent automated pushes of your workspace, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk977kanhcj0yma0a5grpvx6zmx80ankd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐙 Clawdis

Comments