Is arakichanxd/claw-sync safe?

The push.js script copies MEMORY.md, USER.md, SOUL.md, IDENTITY.md, TOOLS.md, AGENTS.md, all daily memory logs, and ALL skill directories to a staging area, then pushes everything to a remote git repo. These files contain the agent's long-term memory, user preferences, and agent persona — potentially including conversation summaries, personal details, and workspace configuration that users may not intend to share externally.

The push script copies ALL skill directories recursively without content filtering. If any installed skill stores local state, cached credentials, API responses, or user data in its directory, that data is silently included in the sync. There is no allowlist/denylist for file types within skill directories.

setup-cron.js configures a 12-hour automatic sync that runs push.js without user interaction. Once enabled, all workspace changes are automatically pushed to the remote repo. Users may forget this is active and inadvertently sync sensitive data added after initial setup.

push.js and pull.js use execSync to run git commands including git init, git push --force, and git clone with the authentication token embedded in the URL. While commands are scoped to git operations and token is sanitized in error messages, the use of execSync with string interpolation introduces theoretical injection risk if STAGING_DIR or tag names were manipulated.

push.js uses git push --force to the main branch, which overwrites the remote's commit history on every sync. While version tags are preserved, the main branch only ever contains the latest snapshot. A compromised or buggy sync could destroy the user's backup without recovery from the main branch.

pull.js with --force flag skips confirmation and overwrites all workspace files from the remote repository content. If the remote repo is compromised (e.g., token leaked), an attacker could push malicious content that gets restored into the user's workspace, potentially including modified skill files that execute on next agent interaction.

Because claw-sync recursively copies all skill directories, a malicious skill could write stolen data (credentials, file contents) to a file within its own directory, and claw-sync would automatically push that data to the remote repo on the next sync cycle — creating a two-stage exfiltration chain.

The SKILL.md contains two complete frontmatter sections (two --- delimited blocks) with slightly different metadata. The first block has version-less metadata, the second includes version, author, repository, tags, and file references. This is likely a formatting error rather than an injection attempt, but parsers may behave unpredictably.

Both push.js and pull.js use fs.rmSync with recursive:true to clean up staging/restore directories. While the paths are hardcoded to known locations (~/.openclaw/.sync-staging and ~/.openclaw/.sync-restore), a symlink attack could potentially redirect the deletion to unintended locations.

The skill correctly excludes openclaw.json and .env from synchronization, and the loadEnv function only reads from a dedicated .backup.env file rather than the main environment.

The skill implements URL validation (HTTPS + host allowlist), token format validation, git tag format validation (regex whitelist), path traversal protection in filenames, and token sanitization in error messages.