Git Watcher
WarnAudited by ClawScan on May 11, 2026.
Overview
This skill is mostly aligned with versioning OpenClaw config, but it handles local credential files and the visible code redacts secrets by writing back to the live files, which could break credentials or hide the real impact.
Review this carefully before installing. The Git history and rollback features are useful, but the skill touches ~/.openclaw/credentials and the visible source suggests redaction may overwrite live credential files. Back up ~/.openclaw first, avoid using it on real credentials unless the implementation is fixed or verified, and approve restore/reset operations only after checking the preview diff.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the commit workflow could replace real local API keys or credential values with redacted placeholders, potentially breaking OpenClaw integrations or making credentials hard to recover.
The script explicitly includes the credentials directory in tracked paths and the redaction helper writes the redacted content back to the file under ~/.openclaw, indicating live credential files may be modified rather than only sanitized in a temporary staging area.
TRACKED_PATHS = [
"openclaw.json",
"credentials",
"agents",
"flows",
]
...
# Write redacted version
with open(full, "w") as f:
f.write(redacted)Do not run this on real credential profiles unless you have backups. The skill should avoid tracking credentials by default, redact only a temporary copy or Git index blob, and require explicit opt-in for each credential file.
A restore or hard reset can roll back configuration, agents, flows, and potentially credential-related files, changing how OpenClaw behaves.
The skill documents powerful Git operations that can overwrite tracked OpenClaw configuration files. The instructions do require confirmation, so this is purpose-aligned but high-impact.
Full tree restore: `git checkout <commit> -- .` (all tracked files) - **Hard reset** (destructive): `git reset --hard <commit>` — only if user explicitly says "hard reset"
Inspect the preview diff carefully, keep an external backup of ~/.openclaw, and only approve hard reset when you fully understand what will be overwritten.
Users may trust the skill to safely protect secrets without realizing the local credential files themselves may be changed.
The README frames credential handling as a safety guarantee focused on Git commits, but the visible code shows redaction can be written back to live files. That important tradeoff is not clearly disclosed in the user-facing claim.
**Credentials 自动 redact**:真实 API key 永远不进 git 提交,commit 里只显示 `[REDACTED-api-key]`
The documentation should explicitly state whether redaction modifies live files, how originals are preserved, and how users can restore credentials if redaction occurs.