← 返回 Skills 市场
Claw Sync
作者
arakichanxd
· GitHub ↗
· v2.0.2
3329
总下载
6
收藏
19
当前安装
3
版本数
在 OpenClaw 中安装
/install claw-sync
功能描述
Secure sync for OpenClaw memory and workspace. Use /sync to push, /restore to pull, /sync-status to check. Supports versioned backups and disaster recovery.
使用说明 (SKILL.md)
Claw Sync
Secure, versioned sync for OpenClaw memory and workspace.
Commands
/sync
Push your memory and skills to the remote repository.
/sync → Push and create versioned backup
/sync --dry-run → Preview what would be synced
/restore
Restore memory and skills from the remote repository.
/restore → Restore latest version
/restore latest → Same as above
/restore backup-20260202-1430 → Restore specific version
/restore latest --force → Skip confirmation
/sync-status
Show sync configuration and local backup info.
/sync-status
/sync-list
List all available backup versions.
/sync-list
What Gets Synced
| File | Description |
|---|---|
MEMORY.md |
Long-term memory |
USER.md |
User profile |
SOUL.md |
Agent persona |
IDENTITY.md |
Agent identity |
TOOLS.md |
Tool configs |
AGENTS.md |
Workspace rules |
memory/*.md |
Daily logs |
skills/* |
Custom skills |
NOT Synced (security)
openclaw.json- Contains API keys.env- Contains secrets
Setup Required
Create ~/.openclaw/.backup.env:
BACKUP_REPO=https://github.com/username/your-repo
BACKUP_TOKEN=ghp_your_token
Features
- 🏷️ Versioned - Each sync creates a restorable version
- 💾 Disaster Recovery - Local backup before every restore
- 🔒 Secure - No config files synced, token sanitization
- 🖥️ Cross-platform - Windows, Mac, Linux
安全使用建议
What to consider before installing:
- Required secrets are not declared in the registry metadata: this skill needs BACKUP_REPO and BACKUP_TOKEN (stored in ~/.openclaw/.backup.env). The omission is a packaging/information risk — double-check you supply only the credentials you intend.
- Use a minimal, revocable token in a private, dedicated repository: create a new private repo for backups and generate a fine-grained (or repo-scoped) token limited to that repository and to the minimum permissions required. Prefer revocable tokens so you can delete them quickly if needed.
- Review what will be pushed: the tool copies workspace files and entire skills/* directories. Run a dry-run first (/sync --dry-run or node scripts/push.js --dry-run) to see exactly which files would be uploaded. Make sure no other skill stored secrets in file form under skills/ or workspace/ that you don't want off-machine.
- Token handling risks: the scripts embed the token into git HTTPS URLs for exec'd commands. That is convenient but can leak tokens into process listings, temporary git configs, or logs if runs fail. To mitigate: run initial tests in a sandbox account or VM, monitor temporary folders (~/.openclaw/.sync-staging, .sync-restore, .local-backup) and delete them manually after successful runs, and prefer a short-lived token.
- Check duplicates and packaging oddities: the package contains duplicated copies of the code (top-level and claw-sync/). That may be benign (packaging artifact) but is unusual — inspect which path your environment will execute (the SKILL.md points to node skills/claw-sync/index.js).
- Cron/autosync: setup-cron only writes a config file and suggests activation; it does not enable system crontab by itself. Don't enable automatic scheduled backups until you've validated dry-run behavior and are confident about token scoping and which files are being uploaded.
- If you proceed: run a dry-run, use a dedicated repo and token, review the code (push/pull scripts) yourself, test in an isolated environment, and rotate/delete the token after verifying functionality.
功能分析
Type: OpenClaw Skill
Name: claw-sync
Version: 2.0.2
The OpenClaw AgentSkills skill bundle 'claw-sync' is designed for secure, versioned synchronization of OpenClaw memory and workspace to a Git repository. It includes several security features such as explicit exclusion of sensitive files (`openclaw.json`, `.env`) from synchronization, validation of repository URLs to restrict to allowed hosts (GitHub, GitLab, Bitbucket), sanitization of tokens from error messages, and robust path/version validation to prevent command injection and path traversal during restore operations. While it uses `child_process.execSync` for Git operations and sets up a cron job for auto-sync, these actions are transparent, necessary for its stated purpose, and include mitigations against misuse. No evidence of intentional harmful behavior, data exfiltration beyond the configured repository, or malicious prompt injection was found.
能力评估
Purpose & Capability
The skill is a Git-backed backup/sync tool and the included scripts clearly require BACKUP_REPO and BACKUP_TOKEN stored at ~/.openclaw/.backup.env. However, the registry metadata lists no required environment variables or primary credential — a clear mismatch. Other than that omission, the requested capabilities (reading workspace files and pushing/pulling to a git repo) are consistent with the described purpose.
Instruction Scope
Runtime instructions and scripts stay within the stated purpose (push/pull/list/status/setup). They read/write files under ~/.openclaw/workspace and copy entire skills/* directories into the backup. That is expected, but copying skills/* can unintentionally include sensitive files if other skills store secrets in files. The SKILL.md and code explicitly exclude openclaw.json and .env, which reduces some risk.
Install Mechanism
No install spec — this is an instruction + code-only skill. All code is present in the package (no remote installs or URL downloads), which lowers supply-chain risk. There are duplicated files and nested copies (top-level vs claw-sync/), which is odd but not directly dangerous.
Credentials
The scripts need a high-privilege GitHub/GitLab token (read/write to the repo) and a repository URL — those are proportionate to performing backups. The concern is that the registry did not declare these required env vars. The code embeds the token into HTTPS git URLs for exec'd git commands (repo.replace('https://', `https://${token}@`)), which can expose the token in process arguments, temporary git configs, or if temporary staging/restore dirs are left behind. The code attempts to sanitize error output and cleans up staging dirs, but token leakage scenarios remain possible if something fails mid-run.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. Setup writes its own cron config to ~/.openclaw/cron/backup.json and suggests how to activate it; it does not force a system cron entry automatically. This level of persistence is expected for an auto-backup helper.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install claw-sync - 安装完成后,直接呼叫该 Skill 的名称或使用
/claw-sync触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.2
Version 2.0.2 of claw-sync introduces a major refactor and restructuring:
- Migrated all source code and scripts into a dedicated claw-sync/ subdirectory.
- Added example configuration and documentation files: README.md, SKILL.md, .gitignore, and config.example.env.
- Introduced modular scripts for pull, push, cron setup, and status operations.
- Updated command structure for improved usability and clarity.
- Removed the old root-level .gitignore file.
v2.0.1
- Introduced unified command-line interface: /sync, /restore, /sync-status, /sync-list.
- Added index.js entry point to handle all sync, restore, status, and listing operations.
- Updated documentation to focus on simple commands and improved usage instructions.
- Maintained all security and disaster recovery features while simplifying usage.
v2.0.0
Claw Sync 2.0.0: Major security and backup enhancements for OpenClaw syncing.
- Adds versioned backups with restore-any-version support.
- Introduces disaster recovery: creates local backup before any restore.
- Significantly improves security (no config or credential files synced; URL and path traversal protections).
- Defines exactly which files and directories are synced.
- New quick commands for push, pull, restore, version listing, and status checking.
- Full cross-platform support (Windows, Mac, Linux).
元数据
常见问题
Claw Sync 是什么?
Secure sync for OpenClaw memory and workspace. Use /sync to push, /restore to pull, /sync-status to check. Supports versioned backups and disaster recovery. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3329 次。
如何安装 Claw Sync?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install claw-sync」即可一键安装,无需额外配置。
Claw Sync 是免费的吗?
是的,Claw Sync 完全免费(开源免费),可自由下载、安装和使用。
Claw Sync 支持哪些平台?
Claw Sync 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Claw Sync?
由 arakichanxd(@arakichanxd)开发并维护,当前版本 v2.0.2。
推荐 Skills