diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml
index afb5edb..305b5f3 100644
--- a/.github/workflows/wiki-sync.yml
+++ b/.github/workflows/wiki-sync.yml
@@ -44,7 +44,21 @@ jobs:
           fi
           cp wiki/INDEX.md wiki/Home.md
 
-          WIKI_REMOTE="https://x-access-token:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
+          # PAT auth for Git over HTTPS expects the token owner's login as username.
+          # Resolve it dynamically so the same flow works for PAT-based automation tokens.
+          TOKEN_USER="$(curl -fsSL -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" https://api.github.com/user | jq -r '.login // empty' || true)"
+          if [ -z "$TOKEN_USER" ] || [ "$TOKEN_USER" = "null" ]; then
+            echo "::error::Unable to resolve token owner for POLL_NVD_CVES_PAT. Ensure it is a valid PAT with repo access."
+            exit 1
+          fi
+
+          REPO_PUSH_PERMISSION="$(curl -fsSL -H "Authorization: Bearer ${AUTOMATION_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository }}" | jq -r '.permissions.push // false' || true)"
+          if [ "$REPO_PUSH_PERMISSION" != "true" ]; then
+            echo "::error::POLL_NVD_CVES_PAT cannot push to ${{ github.repository }}. Grant Contents: write (fine-grained PAT) or repo scope (classic PAT), and ensure org approval/SSO authorization if required."
+            exit 1
+          fi
+
+          WIKI_REMOTE="https://${TOKEN_USER}:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
           if ! git ls-remote "$WIKI_REMOTE" >/dev/null 2>&1; then
             echo "::warning::Wiki remote unavailable (repository wiki may be disabled). Skipping sync."
             exit 0
@@ -73,4 +87,5 @@ jobs:
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add -A
           git commit -m "docs(wiki): sync from ${GITHUB_SHA}"
-          git push origin HEAD:"$WIKI_BRANCH"
+          # Clone may sanitize credentials from origin URL; push with explicit auth URL.
+          git push "$WIKI_REMOTE" HEAD:"$WIKI_BRANCH"
diff --git a/README.md b/README.md
index 1b85dea..91ef21b 100644
--- a/README.md
+++ b/README.md
@@ -51,9 +51,21 @@ ClawSec is a **complete security skill suite for AI agent platforms**. It provid
 
 ---
 
-## 📚 Documentation Source of Truth
+## 🎬 Product Demos
 
-For all wiki content, edit files under `wiki/` in this repository. The GitHub Wiki (`<repo>.wiki.git`) is synced from `wiki/` by `.github/workflows/wiki-sync.yml` when `wiki/**` changes on `main`.
+GitHub strips inline `<video>` tags in repository READMEs. The previews below are lightweight animated GIFs (no audio). Click any preview to open the full MP4 with audio.
+
+### Install Demo (`clawsec-suite`)
+
+[![Install demo animated preview](public/video/install-demo-preview.gif)](public/video/install-demo.mp4)
+
+Direct link: [install-demo.mp4](public/video/install-demo.mp4)
+
+### Drift Detection Demo (`soul-guardian`)
+
+[![Drift detection animated preview](public/video/soul-guardian-demo-preview.gif)](public/video/soul-guardian-demo.mp4)
+
+Direct link: [soul-guardian-demo.mp4](public/video/soul-guardian-demo.mp4)
 
 ---
 
@@ -96,22 +108,6 @@ For Windows (PowerShell):
 
 Troubleshooting: if you see directories such as `~/.openclaw/workspace/$HOME/...`, a home variable was passed literally. Re-run using an absolute path or an unquoted home expression.
 
-### Product Demos
-
-GitHub strips inline `<video>` tags in repository READMEs. The previews below are lightweight animated GIFs (no audio). Click any preview to open the full MP4 with audio.
-
-#### Install Demo (`clawsec-suite`)
-
-[![Install demo animated preview](public/video/install-demo-preview.gif)](public/video/install-demo.mp4)
-
-Direct link: [install-demo.mp4](public/video/install-demo.mp4)
-
-#### Drift Detection Demo (`soul-guardian`)
-
-[![Drift detection animated preview](public/video/soul-guardian-demo-preview.gif)](public/video/soul-guardian-demo.mp4)
-
-Direct link: [soul-guardian-demo.mp4](public/video/soul-guardian-demo.mp4)
-
 ---
 
 ## 📱 NanoClaw Platform Support
@@ -441,6 +437,10 @@ See [CONTRIBUTING.md](CONTRIBUTING.md#submitting-security-advisories) for detail
 4. Validate with `python utils/validate_skill.py skills/your-skill`
 5. Submit a PR for review
 
+## 📚 Documentation Source of Truth
+
+For all wiki content, edit files under `wiki/` in this repository. The GitHub Wiki (`<repo>.wiki.git`) is synced from `wiki/` by `.github/workflows/wiki-sync.yml` when `wiki/**` changes on `main`.
+
 ---
 
 ## 📄 License