Sync
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only sync skill is coherent and purpose-aligned, but users should be careful because sync commands can delete files and may use cloud or SSH credentials.
This skill appears safe to install as an instruction-only sync helper. Before using it, make sure you understand which folder or remote is the source and which is the destination, run dry-run checks first, and be especially cautious with --delete or rclone sync because they can remove destination files.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user chooses the wrong source, destination, or delete option, files on the destination could be removed or overwritten.
The skill documents sync options that can delete destination files. This is purpose-aligned for synchronization and includes a dry-run warning, but misuse could still cause data loss.
Add `--delete` only when you want destination to mirror source exactly ... Use `--dry-run` before any destructive sync
Confirm source and destination paths, run a dry run first, and require explicit approval before using delete/mirror-sync behavior.
A configured cloud remote or SSH key could allow access to remote storage or systems if used with the wrong destination or account.
The skill may use rclone cloud credentials or SSH keys for remote synchronization. This is expected for the stated purpose and the artifact discourages hardcoding credentials, but these credentials can grant account or host access.
Configure remotes interactively: `rclone config` — never hardcode cloud credentials in scripts ... For SSH remotes, use key-based auth: `rsync -avz -e "ssh -i ~/.ssh/key" src/ user@host:dest/`
Use least-privilege cloud remotes or dedicated SSH keys, avoid broad account access where possible, and do not expose credential paths or sync logs unnecessarily.