Sync
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sync Version: 1.0.0 The skill bundle provides comprehensive instructions for using `rsync` and `rclone` for file synchronization, including local, remote, and cloud storage. The `SKILL.md` content focuses on best practices, such as using `--dry-run`, avoiding hardcoded credentials, and specifying SSH keys for remote operations. There is no evidence of intentional malicious behavior, data exfiltration, backdoor installation, or prompt injection designed to subvert the agent for harmful purposes. The instructions are clear, well-aligned with the stated purpose, and even promote good security hygiene.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user chooses the wrong source, destination, or delete option, files on the destination could be removed or overwritten.
The skill documents sync options that can delete destination files. This is purpose-aligned for synchronization and includes a dry-run warning, but misuse could still cause data loss.
Add `--delete` only when you want destination to mirror source exactly ... Use `--dry-run` before any destructive sync
Confirm source and destination paths, run a dry run first, and require explicit approval before using delete/mirror-sync behavior.
A configured cloud remote or SSH key could allow access to remote storage or systems if used with the wrong destination or account.
The skill may use rclone cloud credentials or SSH keys for remote synchronization. This is expected for the stated purpose and the artifact discourages hardcoding credentials, but these credentials can grant account or host access.
Configure remotes interactively: `rclone config` — never hardcode cloud credentials in scripts ... For SSH remotes, use key-based auth: `rsync -avz -e "ssh -i ~/.ssh/key" src/ user@host:dest/`
Use least-privilege cloud remotes or dedicated SSH keys, avoid broad account access where possible, and do not expose credential paths or sync logs unnecessarily.