← Back to Skills Marketplace
Openclaw Github Sync
by
Brad Vincent
· GitHub ↗
· v0.1.4
548
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install openclaw-github-sync
Description
Keep an OpenClaw agent's non-sensitive context (selected memory, MD files, notes, and custom skills) under version control in a separate Git repository for r...
Usage Guidance
This skill appears to do exactly what it says: export an allowlisted subset of your OpenClaw workspace and push it to a separate git repo, and optionally pull reviewed changes back. Before installing or using it: 1) Use a private repo you control and set SYNC_REMOTE to its SSH URL. 2) Never automate pulls; only push can be scheduled. 3) Inspect and customize references/export-manifest.txt to ensure nothing sensitive is included. 4) Run the sync first in a dry-run or test workspace, and back up your workspace before performing a first pull (pull can overwrite skills and markdown and thus change agent behavior). 5) Ensure secret scanning is enabled (the included scan_secrets.py runs before commits) and avoid adding ignore rules unless you understand the risk. 6) If you use gh or jq, make sure the corresponding CLI credentials are managed under least-privilege. If you want additional assurance, provide the openclaw.json path and run a dry-run pull (PULL_DRY_RUN=1) to preview changes before applying them.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-github-sync
Version: 0.1.4
The skill is designed with strong security controls, including a secret scanner (`scripts/scan_secrets.py`) that blocks commits/pushes if sensitive data is detected, and explicit warnings in `SKILL.md` and `README.md` about the risks of the `pull` operation. However, the `scripts/pull.sh` script allows overwriting agent workspace files (skills, markdown, persona content) from a remote Git repository. While the documentation clearly states this is a 'trust boundary' and 'manual-only' operation, this capability represents a significant prompt injection or remote code execution vulnerability if the designated sync repository is compromised. Additionally, `references/export-manifest.txt` includes the entire `memory/` directory for export, relying solely on the secret scanner to prevent sensitive data exfiltration, which is a point of concern if the scanner has limitations.
Capability Assessment
Purpose & Capability
Name/description promise (export curated workspace files to a separate git repo) matches the included scripts and declared requirements. Required binaries (git, rsync, python3) and required env var (SYNC_REMOTE) are appropriate for pushing/pulling to a git remote. Optional tools (gh, jq) are used only for repo creation or better grouping and are documented as optional.
Instruction Scope
SKILL.md and the scripts focus on exporting allowlisted files, scanning for secrets, committing, pushing, and (manual) pulling. The README and SKILL.md explicitly document the trust boundary, require manual pulls, and warn about pull-induced behavior changes. The only I/O beyond the sync repo/workspace is optional reading of OpenClaw config (openclaw.json) to target per-agent workspace pulls; this is explained in the docs and is coherent with the pull functionality.
Install Mechanism
This is an instruction-only skill with included scripts (no external install spec or remote downloads). No external, untrusted URLs are fetched or executed during normal operation—scripts run locally and use standard system tools. That is a lower-risk install model.
Credentials
The only declared required env var is SYNC_REMOTE (the git remote to push/pull), which is proportionate. Other environment variables used are optional configuration (WORKSPACE_DIR, SYNC_REPO_DIR, PULL_* flags, etc.). The skill does not demand unrelated credentials or broad secrets; Git/SSH authentication is performed against the user-provided remote and is appropriate for the task.
Persistence & Privilege
The skill is not force-included (always:false). It can be run autonomously by the agent (default model invocation allowed), and a nightly push wrapper is provided; this is expected for automation. Important: pull operations can overwrite workspace files (including skills and persona markdown), so manual control is emphasized in the docs — that explicit warning is appropriate but the user should ensure pull is never run automatically without human review.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-github-sync - After installation, invoke the skill by name or use
/openclaw-github-sync - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.4
Update to the sync.sh script to ensure the readme.md is built for a sync
v0.1.3
- Added clear trust boundary documentation: emphasized that pulling from sync repo is manual-only, must be human-reviewed, and poses security risks if misused.
- Updated setup and workflow guidance to strongly discourage automated or scheduled pulls; pushes remain automatable.
- Clarified that a private, least-privilege Git repo should be used, and warned users about potential dangers of inbound pull content.
- Expanded prerequisites section: listed required tools, config, and access, and mentioned optional tools for enhanced functionality.
- Minor improvements to onboarding, security warnings, and resource descriptions.
v0.1.2
openclaw-github-sync v0.1.2
- Added a homepage URL and metadata (including required binaries and environment variables) in SKILL.md.
- No changes to files or functionality.
v0.1.1
Initial release with setup scripts, export manifest, and sync automation.
- Added bootstrap and environment setup scripts.
- Included scripts for syncing workspace context and creating private GitHub repos.
- Provided allowlist export manifest and commit grouping configuration.
- Added README and template/reference documentation.
- Included initial secret scanning and ignore list resources.
v0.1.0
Initial release of openclaw-github-sync.
- Enables syncing of OpenClaw agent's non-sensitive context (memories, MD files, notes, and skills) to a separate Git repository.
- Uses an explicit allowlist to export only approved files, ensuring secrets are never synced by default.
- Supports one-shot and scheduled (e.g., nightly) syncs with commit grouping and remote push.
- Includes setup instructions, example scripts, and template configuration files.
Metadata
Frequently Asked Questions
What is Openclaw Github Sync?
Keep an OpenClaw agent's non-sensitive context (selected memory, MD files, notes, and custom skills) under version control in a separate Git repository for r... It is an AI Agent Skill for Claude Code / OpenClaw, with 548 downloads so far.
How do I install Openclaw Github Sync?
Run "/install openclaw-github-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Github Sync free?
Yes, Openclaw Github Sync is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Github Sync support?
Openclaw Github Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Github Sync?
It is built and maintained by Brad Vincent (@bradvin); the current version is v0.1.4.
More Skills