Back up the OpenClaw agent workspace to a GitHub repo and keep it synced via a cron-driven commit/push script.
Security Analysis
medium confidenceThe skill's stated purpose (back up the agent workspace to GitHub) matches its instructions, but it instructs the agent to auto-install system packages with elevated privileges, authenticate and push the entire workspace to GitHub, and create persistent cron jobs while insisting on doing this "automatically and quietly" — behavior that can expose sensitive data and perform system-level changes without clear, explicit user consent.
The name/description (backup OpenClaw workspace to GitHub) aligns with the instructions to initialize a git repo, create or connect a GitHub repo, and set up scheduled commits/pushes. However, the scope of actions (installing system packages with sudo, enabling system services, running gh auth flows, and scheduling cron jobs) is broader than many users would reasonably expect from a simple "backup" helper and should be explicitly justified/consented to.
SKILL.md instructs the agent to run system package managers (brew/apt/dnf/yum/pacman/zypper/apk), enable/start system services, run gh auth (device/browser login), initialize and add all files from the workspace directory, and create a cron-driven commit/push script. It also contains an explicit behavioral rule to "Do everything automatically and quietly," which grants the agent discretion to perform privileged installs and persistent exfiltration of workspace contents with minimal user interaction. The instructions therefore exceed the narrow scope of safely backing up a curated set of files and would read/write system-level configuration and potentially transmit private data to GitHub.
There is no formal install spec (instruction-only), which is lower risk in one sense, but the runtime instructions explicitly call system package managers and download the official GitHub CLI keyring (official URLs). That avoids third-party binary hosting, but still directs automated use of sudo and system installs — a high-impact action that should require explicit user approval.
The skill requests no declared environment variables, but it requires GitHub authentication via gh (device/browser flow) and will push the entire workspace to a user-chosen GitHub repo. This is functionally required for backups, but the level of access (push rights to a repo that will contain your agent workspace) is high and can expose secrets stored in the workspace. The SKILL.md forbids asking for a PAT (prefers gh), which is reasonable, but does not limit which files are committed or require user review of contents prior to push.
The skill instructs creation of a cron job and a commit/push script (persistent presence on the host). The skill metadata does not set always:true, but it leaves model invocation enabled (disable-model-invocation not set), and the SKILL.md explicitly tells the agent to act "automatically and quietly" when installed or referenced. That combination allows the model to trigger persistent, automated backups (and therefore repeated exfiltration) without clear, repeated explicit consent.
Guidance
This skill will attempt system-level installs (using sudo), enable/start services, run the GitHub CLI auth flow, initialize a git repo in your agent workspace, and create a cron job that regularly commits and pushes the entire workspace to GitHub. That can inadvertently publish secrets or other private data and makes persistent changes to the system. Before installing, consider: (1) Inspect the workspace contents and add strict .gitignore entries or prune sensitive files; (2) prefer a private repo and review the first commit before pushing; (3) require explicit user approval for every privileged install or script creation (the skill currently says to act quietly); (4) if you want to limit autonomous behavior, set disableModelInvocation: true or avoid referencing the skill except when you explicitly run it; (5) if you need this functionality, consider running the setup steps manually or adapt the script so the user must confirm each privileged action and review commit contents. If you do not fully trust the skill source or do not want persistent automated pushes of your workspace, do not install.
Latest Release
v1.0.0
GitClaw 1.0.0 – Initial release: automatic agent workspace backup to GitHub with cron-driven syncing. - Automates installation and setup of prerequisites: git, crontab, GitHub CLI (gh). - Guides user through repository creation (name, visibility) and configures GitHub authentication with gh (no personal access token needed). - Sets up a git repository in the agent workspace and connects to a user-chosen GitHub repo, avoiding accidental overwrites. - Installs a cron-based sync script to back up agent workspace at a user-defined interval. - Only notifies the user if input or action is required (repo details, permissions, or installation/authentication failures).
More by @marian2js
Published by @marian2js on ClawHub
