Dotfile Sync Manager
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only sync skill appears purpose-aligned, but it can change dotfile/MCP/Syncthing configurations and write persistent project memory, so review actions before running them.
Install or use this only if you want an agent to help manage dotfiles, MCP server configs, Syncthing settings, and project memory. Before allowing actions, review chezmoi diffs, confirm Syncthing paths and devices, verify MCP servers are trusted, and inspect any knowledge before it is saved to Serena memory.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong path or settings, the agent could alter what Syncthing shares across devices.
The skill documents direct Syncthing REST API calls that can add or change a synced folder. This is expected for Syncthing setup, but it is still a powerful configuration action.
curl -X POST -H "X-API-Key: $API_KEY" ... http://localhost:8384/rest/config/folders ... "path": "~/.local/share/chezmoi"
Review the folder path, folder ID, and Syncthing settings before allowing the command to run.
Running these commands can disrupt Syncthing temporarily and remove the local index backup after verification.
The DB reset procedure stops a service, moves the Syncthing index, and later deletes the backup. The guide scopes this to Syncthing and says to remove the backup after verification, so it is a note rather than a concern.
brew services stop syncthing ... mv ~/Library/Application\ Support/Syncthing/index-v2 ... index-v2.bak ... rm -rf ~/Library/Application\ Support/Syncthing/index-v2.bak
Only use the reset workflow for a real stale-index problem, verify sync health first, and keep the backup until recovery is confirmed.
Anyone controlling these commands could query or modify the local Syncthing instance using its API key.
The skill reads the local Syncthing API key and uses it for localhost REST calls. This is purpose-aligned, but the key grants privileged access to Syncthing configuration.
API_KEY=$(xmllint --xpath '//configuration/gui/apikey/text()' ~/Library/Application\ Support/Syncthing/config.xml)
Use this only with trusted agents, avoid exposing command logs containing the key, and confirm requests go only to the intended localhost Syncthing endpoint.
Sensitive project details, outdated assumptions, or mistaken conclusions from a session could be saved and influence future agent behavior.
The skill can extract session knowledge and write it into Serena persistent memory, including overwriting existing memory. This is the stated purpose, but it creates durable context that future tasks may reuse.
Automatically extracts knowledge from a specific session using MCP ... Use mcp__serena__write_memory ... Overwrite if existing memory exists
Review extracted knowledge before saving, avoid storing secrets, and be careful when overwriting existing memory.
Project/session content may pass through registered MCP tools before being stored.
The workflow bridges MCP/UTCP/code-mode tools to move knowledge between a sessions service and Serena memory. This is disclosed, but trust and permissions are controlled by those external MCP registrations.
Call mcp__code-mode__call_tool_chain tool: tool_call_chain: "claude_sessions.claude_sessions_mcp_extract_project_knowledge" ... "serena.serena_write_memory"
Confirm the registered MCP templates and servers are trusted before syncing knowledge through them.
A bad MCP server entry or unintended config change could break or alter tool behavior across several apps.
A single MCP server list change is designed to propagate into several agent/tool configurations. This is coherent with the sync purpose, but mistakes can affect multiple applications at once.
After editing, `chezmoi apply` → Automatically applied to all apps: `~/.claude.json`, `~/.cursor/mcp.json`, `~/.gemini/antigravity/mcp_config.json`, `~/.utcp_config.json`
Inspect the chezmoi diff before applying, validate new MCP servers, and keep a rollback path for generated configs.