首页龙虾技能列表 › Publish

💾 Publish

v1.0.12

Backup and restore your OpenClaw workspace to GitHub

1· 434·5 当前·5 累计
by @nickconstantinou·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/26
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill's files, runtime instructions, and required environment variables are consistent with its stated purpose (backing up/restoring an OpenClaw workspace to GitHub); no disproportionate access or unexpected network endpoints were found.
评估建议
This skill appears to do what it claims. Before installing or running it: 1) create a fine-grained GitHub PAT limited to the single backup repo (Contents: Write) and set it as GITHUB_TOKEN; 2) test the scripts against a disposable workspace to observe excluded-file behavior and secret-detection false positives; 3) ensure rsync is available (the script falls back to cp which does not preserve excludes, although the secret-scan will abort if it finds leaked secrets); 4) review the included sync.sh...
详细分析 ▾
用途与能力
Name/description (backup/restore to GitHub) match the required env vars (GITHUB_TOKEN, BACKUP_REPO, OPENCLAW_WORKSPACE) and the included scripts. Required inputs and documented behavior are appropriate for a GitHub-based backup tool.
指令范围
SKILL.md and the two scripts limit operations to copying allowed workspace subfolders, scanning for secrets, and pushing to the configured GitHub repo. Notable caveats: the scripts fallback from rsync to a plain cp which does not apply the same exclude flags (but a comprehensive secret-scan runs afterwards); the secret-detection regex is broad and may produce false positives that abort backups. Otherwise, the instructions do not read unrelated system files or send data to unexpected endpoints.
安装机制
Instruction-only skill with bundled shell scripts; no install spec or remote downloads. Low install risk — nothing is fetched from arbitrary URLs.
凭证需求
Requested environment variables are proportional to the task: repository name, workspace path, and GitHub token. The SKILL.md explicitly recommends using a fine-grained PAT limited to the backup repo (good practice).
持久化与权限
always is false and the skill does not request persistent system-wide changes or modify other skills. It runs as an on-demand tool invoked by the agent or user.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.122026/2/25

- Expanded backup scope to include project code from `$OPENCLAW/workspace/projects/`, excluding credentials. - Updated documentation to clarify excluded files, especially personal/workspace-specific files like AGENTS.md and configuration data. - Removed `scripts/test.sh` from the repository. - Minor updates to `README.md`, `SKILL.md`, and `sync.sh` to align with new backup/exclusion rules.

● 无害

安装命令 点击复制

官方npx clawhub@latest install publish
镜像加速npx clawhub@latest install publish --registry https://cn.clawhub-mirror.com

技能文档

Backup and restore your OpenClaw workspace to GitHub.

⚠️ Security First

This skill is designed with defense-in-depth. Please read carefully.

What It Backs Up

CategoryFilesStatus
SkillsAll from $OPENCLAW/skills/See notes below
ScriptsAll from $OPENCLAW/scripts/See notes below
Project CodeAll from $OPENCLAW/workspace/projects/Excluding credentials

What It Does NOT Back Up (Personal/Workspace-Specific)

These files are explicitly excluded as they are personal or workspace-specific:

  • AGENTS.md, SOUL.md, USER.md, TOOLS.md, IDENTITY.md, HEARTBEAT.md — Personal agent configuration
  • SITES.md — May contain API keys/secrets
  • MEMORY.md — Contains sensitive conversation data
  • Any file in credentials/, .env, node_modules/

What It Excludes

  • ❌ API keys and tokens (any format)
  • ❌ Credentials folder
  • ❌ .env files
  • ❌ node_modules
  • ❌ .git directories
  • ❌ Nested git repositories
  • ❌ Files containing secrets (detected by regex)

Secret Detection

ClawSync scans for these secret patterns:

  • GitHub tokens (ghp_)
  • OpenAI keys (sk-)
  • Google API keys (AIza)
  • Slack tokens (xoxb-, xoxp-)
  • AWS access keys (AKIA)
  • JWTs and bearer tokens
  • Private keys (-----BEGIN PRIVATE KEY-----)
  • High-entropy strings

If any are detected → backup aborts before push.

Environment Variables (Required)

export GITHUB_TOKEN="ghp_xxxx"
export BACKUP_REPO="username/repo-name"
export OPENCLAW_WORKSPACE="${HOME}/openclaw-workspace"

🔐 Recommended: Fine-Grained PAT

For least privilege, use a GitHub Fine-Grained PAT:

  • Go to GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
  • Create new token with:
- Repository access: Only $BACKUP_REPO - Permissions: Contents: Write
  • Use this token as GITHUB_TOKEN

Quick Start

git clone https://github.com/your-username/clawsync.git ~/clawsync
cp .env.example .env
# Edit .env with your values
bash sync.sh

Features

  • Pre-flight Check: Validates required env vars before running
  • Strict Whitelist: Only copies explicitly allowed files
  • Deny List: Filters out .git, credentials, node_modules
  • Secret Scrubbing: Detects 100+ secret patterns, aborts if found
  • Safe Restore: Requires --force or confirmation before overwriting

Safe Restore

# With confirmation (default)
bash restore.sh
# Force mode (no prompt)
bash restore.sh --force

Auth

Uses gh CLI if available, falls back to token auth.

Files

  • sync.sh - Backup script (ShellCheck compliant)
  • restore.sh - Restore script
  • .env_example - Template
  • .gitignore - Blocks secrets

Development & Release

Running Tests Locally

# Set up test workspace
mkdir -p /tmp/test-workspace
echo "test" > /tmp/test-workspace/AGENTS.md
echo "test" > /tmp/test-workspace/USER.md
mkdir -p /tmp/test-workspace/skills /tmp/test-workspace/scripts
# Run integration test
export BACKUP_REPO="test/repo"
export OPENCLAW_WORKSPACE="/tmp/test-workspace"
export GITHUB_TOKEN="dummy"
cd /tmp && rm -rf test-backup-repo && mkdir test-backup-repo
cd test-backup-repo && git init
cp ~/clawsync/sync.sh .
bash sync.sh

Testing Secret Detection

# Create a test file with a fake secret
echo "My API key is ghp_test1234567890abcdefghijklmnopqrstuvwxyz" > /tmp/test-workspace/AGENTS.md
# Run sync - should abort with error
bash sync.sh
# Expected output: "Error: Potential secret detected..."

Security Audit Test (Proves Non-Staged Detection)

This test verifies the script catches secrets BEFORE they are staged:

# Set up test workspace
export BACKUP_REPO="test/repo"
export OPENCLAW_WORKSPACE="/tmp/test-workspace"
export GITHUB_TOKEN="dummy"
# Create workspace with secret in a non-staged file
mkdir -p /tmp/test-workspace
echo "Real API key: sk-realapikey12345678901234567890" > /tmp/test-workspace/AGENTS.md
# Copy sync.sh to temp backup dir
cd /tmp && rm -rf audit-test && mkdir audit-test && cd audit-test
git init
cp ~/clawsync/sync.sh .
# Run sync - should FAIL (catches non-staged secret)
bash sync.sh
# Expected: "Error: Potential secret detected in backup directory!"
# This proves the pre-git-add scanning works

Publishing to ClawHub

The CI runs on every push and pull request:

  • ShellCheck - Lints bash scripts
  • Integration test - Verifies backup/restore works

To publish a new version:

git add -A
git commit -m "Release v1.0.x"
git tag v1.0.x
git push origin master --tags

CI will automatically:

  • Run tests
  • If tests pass and tag starts with v, publish to ClawHub
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务