Encrypted GitHub backup and restore for any OpenClaw agent system. Creates branch-per-night backups with smart retention (7 daily, 8 weekly, 12 monthly branc...
Security Analysis
medium confidenceThe skill's backup behavior is plausible, but there are several inconsistencies and implementation choices that warrant caution before installing (undeclared requirements, implicit access to your GitHub token, and a token-exposure pattern in the scripts).
The skill claims to be an encrypted GitHub backup/restore, which matches the scripts' functionality, but the registry metadata lists no required binaries or credentials while the scripts clearly require git, gh (GitHub CLI), openssl, and python3 and rely on the user's authenticated GitHub token. That metadata omission is an incoherence: the skill will fail or behave unexpectedly unless the environment has those tools and an authenticated gh session.
SKILL.md and the scripts instruct the agent to read and copy many local files (~/.openclaw workspace, memories, skills) and to show the raw encryption key to the user. The scripts also construct an HTTPS repo URL containing the GH token (REPO_URL with ${GH_TOKEN}) which will pass the token as a command argument to git — this can expose the token to local process listings or logs while the command runs. The SKILL.md statement that backups 'auto-run after any critical config change' is vague and not clearly implemented by the scripts, granting the agent broad discretion to run backups silently. Copying entire skill directories into the vault is reasonable for restoreability but increases the chance of unintentionally committing code that owners consider sensitive.
There is no install spec (instruction-only), and all code is bundled as shell scripts included in the skill. No remote downloads or obscure URLs are used by the skill itself. That reduces supply-chain risk, but the README suggests installing via a third-party CLI (clawhub) or git clone from ProSkillsMD; if you use those install routes, review those sources separately.
The skill implicitly requires access to a GitHub token via the GitHub CLI (gh auth token) and reads the user's openclaw.json (which contains API keys) to encrypt it. The registry metadata declared no required environment variables/credentials but the runtime flow depends on gh being authenticated. The use of the GH token embedded in the repo URL exposes that token temporarily. The skill stores a plaintext encryption key on disk under ~/.openclaw/credentials/avenger.key — this is deliberate but increases local key-management responsibility. Overall the requested environment/credentials are proportionate to backing up to a private GitHub repo, but they are not declared and the token-exposure pattern is a real concern.
The skill does not request always:true and does not modify other skills or system-wide settings. It instructs the agent to run cron-like backups (SKILL.md mentions scheduled daily backups) but does not itself install system crons. Because the agent can invoke the skill autonomously, a compromised agent could cause repeated backups to the configured vault — this increases blast radius but is a platform default rather than a skill-specific escalation.
Guidance
This skill mostly does what it says (encrypt openclaw.json and push backups to your private GitHub repo), but several things need your attention before installing: 1) Environment & tools: ensure git, the GitHub CLI (gh), openssl, and python3 are installed and that gh is authenticated. The skill's registry metadata fails to declare these requirements — expect to set them up yourself. 2) GitHub token exposure: the scripts obtain your GH token via `gh auth token` and embed it into the HTTPS URL passed to git. That exposes the token in the git command arguments while the command runs (visible to local process monitors) and is a sensitive pattern. Consider running backups on a single-user, trusted machine only, or modifying the scripts to use a deploy key/SSH remote or the gh CLI's built-in auth helper rather than embedding the token in the URL. 3) Review the scripts: they copy entire workspaces and skill directories into the vault. Audit the content of skills you’ve added (SKILL.md, scripts/references) to ensure nothing you consider sensitive will be included in plaintext. Verify the .gitignore and confirm credentials/ are excluded. 4) Key management: the skill prints your encryption key to the console during setup and stores it at ~/.openclaw/credentials/avenger.key with 600 perms. Save that key in a secure password manager and consider a key-rotation plan. 5) Test first on an isolated instance: run the scripts against a disposable OpenClaw instance and a disposable private GitHub repo to observe behavior, confirm no unintended data leaves the machine, and ensure token handling is acceptable. 6) If you accept the risk: minimize the GitHub token scope (least privilege, repo-only), enable 2FA on the account owning the vault, and consider switching the scripts to use SSH/deploy key or gh's credential helper to avoid embedding the token in the command line. If you want, I can: (a) highlight exact lines in the scripts to change to avoid token-in-URL exposure, (b) create a safer wrapper that uses gh CLI for authenticated push, or (c) produce a short checklist to audit the specific files the scripts will copy before the first run.
Latest Release
v1.0.2
Improved README: ProSkills.md + ClawHub badges at top, full installation guide (3 methods), quick start, restore instructions. Subtle ProSkills discovery mention in SKILL.md footer.
More by @Asif2BD
Published by @Asif2BD on ClawHub
