Skill Sync

The skill's code and instructions match its stated purpose (syncing/publishing skills) but there are several practical and security mismatches — hardcoded user paths, implicit/undeclared credentials, and fully automated publish/commit behavior that could push sensitive data without review.

This skill appears to do what it claims (scan local skills, run 'clawhub publish' and git commit/push, and write status), but there are several practical security concerns you should consider before installing or scheduling it to run automatically: - Credentials: The script relies on your existing Git and ClawHub CLI authentication but does not declare or request them. Ensure Git remotes and ClawHub CLI are configured securely (SSH keys or credential helper) and that no long-lived tokens are exposed in the repos being synced. - Hardcoded paths: The code uses absolute paths under /Users/xufan65/.openclaw/..., which may not match your environment. Inspect and update CONFIG and config/settings.json to point to the right directories before running. - Automatic publish/commit: The default config enables auto-commit and auto-publish with requireConfirmation:false. That means changes (including accidental or sensitive files) could be committed and published automatically. Turn on requireConfirmation, set autoPublishToClawhub:false, or run with --dry-run for initial testing. - Review what will be included in commits: The script runs 'git add .' in each skill repo. Ensure no secrets, private keys, or credentials are stored in any skill directory. Consider adding stricter ignore rules or performing a manual review step. - Test safely: Run the script in dry-run mode or on a copy of your workspace first. Inspect the full scripts (the provided sync.cjs was truncated in the listing) to confirm there are no additional behaviors (network callbacks, webhooks, hidden endpoints). - Least privilege: Use separate service accounts, limited-scope tokens, or a staging repo/ClawHub project for automated syncs. Disable autonomous scheduling until you are confident. If you want, I can extract and review the remainder of scripts/sync.cjs (and any other included JS files) to look for additional risky patterns, or suggest specific configuration changes to make this safer.