Sync
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user chooses the wrong source, destination, or delete option, files on the destination could be removed or overwritten.
The skill documents sync options that can delete destination files. This is purpose-aligned for synchronization and includes a dry-run warning, but misuse could still cause data loss.
Add `--delete` only when you want destination to mirror source exactly ... Use `--dry-run` before any destructive sync
Confirm source and destination paths, run a dry run first, and require explicit approval before using delete/mirror-sync behavior.
A configured cloud remote or SSH key could allow access to remote storage or systems if used with the wrong destination or account.
The skill may use rclone cloud credentials or SSH keys for remote synchronization. This is expected for the stated purpose and the artifact discourages hardcoding credentials, but these credentials can grant account or host access.
Configure remotes interactively: `rclone config` — never hardcode cloud credentials in scripts ... For SSH remotes, use key-based auth: `rsync -avz -e "ssh -i ~/.ssh/key" src/ user@host:dest/`
Use least-privilege cloud remotes or dedicated SSH keys, avoid broad account access where possible, and do not expose credential paths or sync logs unnecessarily.