Description-Behavior Mismatch
Medium
- Confidence
- 98% confidence
- Finding
- The commit workflow derives files from `git status --porcelain` for the entire `~/.openclaw` tree and stages every changed path except nested git repos, rather than restricting staging to `TRACKED_PATHS`. In this skill context, that is dangerous because the tool is marketed as a configuration checkpoint manager, yet it can silently commit unrelated files from the user's OpenClaw workspace, increasing the chance of persisting sensitive or unintended data.
