ClawSync
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: getlighty-clawsync Version: 2.0.0 The OpenClaw AgentSkills skill bundle "clawsync" is classified as **suspicious**. The primary indicators are: 1. **Unauthorized Data Collection/Privacy Violation**: The `SKILL.md` documentation explicitly states that `openclaw config.json` and `credentials/` are "OPT-IN SYNC" and that `credentials/` are "encrypted separately". However, the `sync-engine.sh` script unconditionally uses `rsync` to mirror the *entire* OpenClaw directory (`$HOME/.openclaw` or `$HOME/clawd`) into `$VAULT_DIR/openclaw/`. This `$VAULT_DIR/openclaw/` directory is then included in the archive sent to the cloud provider by `providers/cloud.sh`. While the archive itself is encrypted with the client's Ed25519 key (which never leaves the machine), this behavior directly contradicts the stated opt-in policy in the documentation, leading to unauthorized collection and storage of potentially sensitive OpenClaw configuration and credentials on a third-party service. This is a significant breach of privacy expectations. 2. **Shell Injection Vulnerability (Prompt Injection against Agent)**: The `clawsync.sh profile pull <name>` command, which the AI agent is instructed to use, does not sanitize the `<name>` argument. If an attacker (or a user manipulated by an attacker) provides a malicious string like `$(rm -rf /)` as the profile name, the agent would execute `clawsync.sh profile pull "$(rm -
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal agent memory and project context may be copied to remote storage and reused across machines.
This defines persistent identity, memory, and project context that will be automatically synced to the chosen storage provider.
ALWAYS SYNCED ... identity/USER.md ... knowledge/MEMORY.md ... knowledge/projects/ ... Auto-sync is ON by default after setup
Review the vault contents before enabling sync, avoid storing secrets in memory/project files, and choose a provider and retention settings you trust.
Vault changes may continue uploading after the original request unless the user stops or disables sync.
This describes persistent background activity that continues after setup, though it is aligned with the skill's sync purpose.
Auto-sync is ON by default after setup — like iCloud. The user should not have to think about syncing. Changes are pushed within 30 seconds.
Confirm how to stop auto-sync, monitor provider activity, and disable background syncing when not needed.
Users may believe synced memory and project data is encrypted end-to-end when the provided artifacts do not clearly prove that protection.
This is a strong privacy claim. The provided cloud API artifacts show Ed25519-style signature verification and storage of uploaded archive bytes, but the supplied evidence does not clearly demonstrate client-side encryption before remote storage.
Encrypted: Ed25519 keypair per installation — private key never leaves the machine
Verify the actual encryption design before syncing sensitive data, and prefer explicit client-side encryption with user-held keys.
Automatic cloud sync could lead to paid usage as the vault grows beyond the free tier.
The managed cloud upload path can create a metered subscription and report usage when a pushed archive exceeds the free tier; the artifacts do not show a per-push user approval step for paid billing.
if (!vault.stripe_subscription_id && data.length > 50 * 1024 * 1024) { const subId = await billing.ensureSubscription(...); ... } ... await billing.reportUsage(...)Require explicit user confirmation before enabling paid cloud billing, show quotas before upload, and provide clear cost alerts.
Storage or channel credentials could grant access to synced vault data if mishandled or over-scoped.
The skill may request storage-provider credentials and can optionally sync channel credentials; this is expected for the product but sensitive and not reflected in the registry credential metadata.
Google Drive ... OAuth flow ... Dropbox ... OAuth flow ... FTP/SFTP ... credentials ... OPT-IN SYNC: ... credentials/
Use least-privilege storage accounts, avoid syncing credentials unless necessary, and confirm where credentials are stored and encrypted.
If approved, the skill can change the local software environment.
The skill can help install system packages during migration; the instructions say to show commands and ask first, making this purpose-aligned but still system-mutating.
"install missing packages" → `track-packages.sh install` — shows commands, asks before running
Review package diffs and generated install commands before allowing them to run.