Skillv1.0.0

ClawScan security

file-sync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 7:55 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (bidirectional folder sync); it only touches local files and writes state/log/conflict/trash directories in the synced folders and does not request credentials or network access.
Guidance: This skill appears to do what it says: a local, bidirectional folder synchronizer. Before using it on important data, test it on copies of your folders: the script will create/modify files (.sync_state.json) and directories (.conflict, .trash, .sync_logs) inside the folders you give it, and it will move files into .trash or copy files during normal operation. It does not use the network or ask for credentials. Avoid running multiple sync processes concurrently on the same folders (risk of state corruption), and inspect the .conflict/ and .trash/ contents before deleting anything. If you need remote/cloud sync or encryption, this script does not provide those features. If you want higher assurance, review or run the script in a safe test environment first.

Review Dimensions

Purpose & Capability: okName/description describe a local bidirectional file sync tool and the included script implements exactly that: recursive file traversal, MD5-based hashes, per-file history, conflict handling, .conflict/.trash/.sync_logs and .sync_state.json. No unrelated capabilities (cloud, network, or extra credentials) are requested.
Instruction Scope: noteSKILL.md instructs running the bundled Python script with two folder paths and a device name. The runtime instructions and code only access the provided directories and their contents (creating .sync_state.json, .conflict, .trash, .sync_logs). This is within scope, but be aware the script will modify, copy, move (to .trash) and overwrite files as part of normal operation and does not support concurrent runs on the same folder — state corruption or unexpected copies can occur if multiple syncs run simultaneously or if the state file is corrupted.
Install Mechanism: okThere is no install spec (instruction-only plus a local Python script). Nothing is downloaded or installed automatically by the skill bundle.
Credentials: okNo environment variables, credentials, or config paths are requested. The script requires only filesystem access to the two directories you provide, which is consistent with a local sync tool.
Persistence & Privilege: okThe skill does not request permanent platform presence (always:false) and does not modify other skills or system-wide agent settings. It persists state only inside the synced directories (.sync_state.json, .conflict, .trash, .sync_logs), which is expected for this functionality.