openclaw-gitbak
Backup/restore OpenClaw config and workspace via git.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 76 · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (git backup/restore) matches the included scripts, but metadata did not declare required binaries or credentials. The scripts require git and an SSH identity (git@... remotes) although required binaries/env were listed as none. Also the default GIT_HOST/GIT_ORG (gitee.com / burnlife) means backups will push to an external third‑party account unless the user edits config.sh.
Instruction Scope
SKILL.md only shows how to run the scripts and edit config.sh, but the scripts themselves perform actions not highlighted in the README: restore.sh, when a directory already exists and lacks an origin remote, will delete all files except .git (find . -type f -not -path './.git/*' -delete) before adding the remote to avoid merge — this can destroy user data. The scripts will also init/commit/push, which will transmit local files to the configured remote.
Install Mechanism
There is no network install step and no external downloads (low install risk). However, this is not purely instruction-only: the skill bundle includes executable shell scripts that will be placed on disk as part of the skill; those scripts invoke git and other OS tools at runtime.
Credentials
No environment variables or credentials were declared, yet the scripts implicitly require SSH access to a git host (i.e., private SSH keys or other git auth). The default remote is a third‑party (gitee.com:burnlife), which would cause potentially sensitive OpenClaw configs and workspace files to be uploaded to that account unless the user configures their own host/org. This is disproportionate to a generic backup helper unless the user explicitly sets their own remotes.
Persistence & Privilege
always is false and the skill does not request system-level privileges or modify other skills. The agent can invoke the skill autonomously (platform default); combined with the default remote behavior this could result in accidental uploads if an agent calls the scripts without the user editing config.sh first.
What to consider before installing
Don't run these scripts without review. Before using: (1) Ensure git is installed and you understand your local SSH/git auth — the scripts use git@... SSH remotes. (2) Edit scripts/config.sh to set GIT_HOST, GIT_ORG, and GIT_BRANCH to your own hosting/account (do not rely on the default gitee.com:burnlife). (3) Inspect the BACKUP_ITEMS mapping to confirm only intended paths will be uploaded. (4) Be aware restore.sh will delete all non-.git files in an existing directory if no origin remote is present — consider removing or changing the 'find ... -delete' line or test on disposable data first. (5) Because required binaries/credentials were not declared in the skill metadata, treat those as missing and ensure you have git and appropriate keys configured. If you are not comfortable editing the script, do not install or run it.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.1
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
OpenClaw Git Backup/Restore
Scripts: ~/.openclaw/skills/openclaw-gitbak/scripts/
Config: edit ~/.openclaw/skills/openclaw-gitbak/scripts/config.sh
Format: BACKUP_ITEMS["key"]="local_path:repo_name:description"
Usage
bash ~/.openclaw/skills/openclaw-gitbak/scripts/restore.sh cfg
bash ~/.openclaw/skills/openclaw-gitbak/scripts/restore.sh workspace
bash ~/.openclaw/skills/openclaw-gitbak/scripts/restore.sh all
bash ~/.openclaw/skills/openclaw-gitbak/scripts/backup.sh cfg
bash ~/.openclaw/skills/openclaw-gitbak/scripts/backup.sh workspace
bash ~/.openclaw/skills/openclaw-gitbak/scripts/backup.sh all
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…