优雅安全的 OpenClaw 配置同步工具 - 支持选择性备份、.gitignore 规则、版本控制
Security Analysis
high confidenceThe skill mostly does what it claims (backup OpenClaw workspace to a git repo) but has inconsistencies and risky behaviors (undeclared required credentials, imperfect ignore logic, token-in-URL pushes and force-push) that could accidentally expose secrets or overwrite remote data.
Name/description match the implementation: the code copies ~/.openclaw/workspace and pushes a per-instance branch/tags to a remote git repo. However the registry metadata declares no required env or credentials while both SKILL.md and index.js expect a BACKUP_REPO and BACKUP_TOKEN stored in ~/.openclaw/.backup.env — this is an inconsistency that should have been declared.
SKILL.md and index.js read files under ~/.openclaw (workspace and a .backup.env config file). The tool constructs a repo URL that embeds the BACKUP_TOKEN and runs git init/commit/push (including --force). Although the docs say it won't upload .env/openclaw.json/credentials/, the code's default ignorePatterns do not include .env, openclaw.json or credentials/ — so unless the user's .gitignore contains those, sensitive files may be copied and pushed. The tool also force-pushes branches, which can overwrite remote history.
No install script or external downloads; this is an instruction-only skill with an included index.js. No arbitrary remote code is fetched during install.
Requesting BACKUP_REPO and BACKUP_TOKEN is proportionate to backing up to a git host. But those credentials were not declared in the registry metadata. The implementation embeds BACKUP_TOKEN in the HTTPS URL used for git push which can leak the token via process listings, shell history, or remote URL storage. The code attempts to mask the token only in error messages, not in other exposures.
The skill does not request always:true, does not modify other skills, and runs only when invoked. It writes temporary staging under ~/.openclaw and a local backup directory, which is expected for a backup tool.
Guidance
This skill appears to implement backup-to-git as advertised, but there are several practical risks you should consider before installing: 1) It expects a BACKUP_REPO and BACKUP_TOKEN saved in ~/.openclaw/.backup.env, but the registry metadata does not declare these — verify you are comfortable providing a git token. 2) The code embeds the token into the HTTPS push URL (https://TOKEN@...), which can leak via process lists, git remotes, or logs; prefer using a git credential helper or a deploy token with minimal scopes. 3) The README and SKILL.md claim sensitive files (.env, openclaw.json, credentials/) won't be uploaded, but the code's default ignore list does not include .env, openclaw.json, or credentials/ — unless your workspace .gitignore lists them they may be backed up. Inspect and/or add robust ignore rules before running. 4) The tool does a forced push (--force) to instance branches which can overwrite remote branches; ensure you push to a private backup repo and understand the effects. 5) If you proceed, create a dedicated private repo and a narrowly scoped token (remove repo access after testing), review the index.js source, add explicit ignore entries for all secrets, and run sync with --dry-run first. If you want, I can suggest exact code fixes (add .env/openclaw.json/credentials to ignorePatterns, avoid embedding token in URL, use git credential helper, remove --force) or generate a safer wrapper that uses a credential helper and stricter excludes.
Latest Release
v1.0.4
- Internal changes in index.js; no user-facing updates. - No SKILL.md documentation updates in this version.
More by @russellfei
Published by @russellfei on ClawHub
