ClawHub
Back to skill
v2.0.0

OpenClaw Sync Bridge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

The skill is mostly aligned with its stated sync purpose, but the provided code shows unsafe cloud-to-local file writing and it handles sensitive OpenClaw configuration, skills, and a GitHub token.

GuidanceInstall only if you are comfortable syncing OpenClaw identity/configuration files and skills through GitHub Gist. Review the installer before running it, use a limited GitHub token, inspect every diff before pull/push, and be especially cautious until the cloud-to-local path handling is fixed.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceMediumStatusConcern
sync_bridge.py
local = ws / gist_name.replace("__", os.sep)
local.parent.mkdir(parents=True, exist_ok=True)
local.write_text(content, encoding='utf-8')

Remote/Gist file names are converted into local paths and written without evident normalization or checks that the final path remains inside the OpenClaw workspace.

User impactA crafted or corrupted cloud sync entry could cause a pull operation to overwrite files outside the intended workspace with the user's local permissions.
RecommendationReject absolute paths, '..' components, and unexpected separators; resolve the destination path and require it to remain under the configured workspace before writing.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -fsSL https://clawhub.ai/JayShna/openclaw-sync-bridge/install.sh | bash

The documented installer pipes a remotely fetched shell script directly to the shell; the Windows instructions similarly use `irm ... | iex`.

User impactInstalling this way executes whatever the remote URL serves at install time.
RecommendationPrefer reviewing the included installer locally before running it, and publish a pinned install spec or checksums for the remote installer.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`sync_config.json`:
```json
{
  "token": "ghp_xxxxxxxx",
  "gist_id": "abc123...",
  "workspace": "/path/to/workspace"

The skill uses a GitHub token and stores it in a local JSON configuration file for Gist access.

User impactAnyone who can read the local config file may be able to use the GitHub token's Gist permissions.
RecommendationUse a least-privilege token, protect the config file permissions, rotate the token if exposed, and avoid placing the config file in any synced or shared directory.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
默认同步:
- `SOUL.md` - AI 人格设定
- `AGENTS.md` - 工作区配置
- `USER.md` - 用户信息
- `IDENTITY.md` - 身份设定
- `TOOLS.md` - 工具配置
- `skills/` - 所有技能目录

The skill intentionally syncs persistent agent instructions, user/identity data, tool configuration, and all installed skills through a cloud Gist.

User impactSynced content may contain private information or persistent instructions that influence the agent on multiple devices.
RecommendationReview diffs before every pull/push, keep the Gist private, exclude files that contain secrets or sensitive personal context, and avoid syncing untrusted skill directories.