Data Sync
v1.0.0重要数据同步工具。通过云服务器中转站在多台电脑间同步 Claude Code 关键配置(skills、hooks、记忆库、skill-factory),GitHub 作为大版本归档。支持 init/pull/push/backup/status 五个子命令。
⭐ 0· 331·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is to synchronize Claude Code configuration via a user-controlled relay server and archive to GitHub, which aligns with the git/ssh operations in SKILL.md. However, the skill metadata claims no required binaries or credentials while SKILL.md explicitly relies on git and SSH and requires an SSH-accessible relay. Additionally, sync-registry.md hardcodes an IP (129.211.0.193) and user 'root' and references GitHub repos owned by 'mwangxiang' — this embeds an external relay and archives that are not justified by the 'your server' wording and could cause users to push private data to someone else's infrastructure.
Instruction Scope
The runtime instructions direct the agent (and user) to read local repo contents (CLAUDE.md, settings.json, whole repositories), clone/push them over SSH to the relay, and optionally push to GitHub. It also suggests scp'ing an existing keypair from another machine and modifying ~/.ssh/authorized_keys — operations that can expose private keys or grant root access on the remote host. While these actions are coherent with 'sync' functionality, they escalate risk because the default registry points to an external root server and the instructions do not insist the user replace it first.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. That minimizes filesystem persistence and supply-chain risk. The main hazards come from the instructions themselves (network/SSH/git operations), not from any installer.
Credentials
The skill declares no required credentials or env vars, yet SKILL.md presumes SSH access to a relay as root and use of Git/GitHub. The implicit credential is the user's SSH key(s). The presence of a prepopulated remote server IP and specific GitHub repo names (mwangxiang/...) is disproportionate: a sync tool should default to an empty registry or clearly require the user to supply and confirm their own server/GitHub targets rather than ship with hardcoded external endpoints.
Persistence & Privilege
The skill is not 'always: true' and has no install that would force permanent presence. It does not declare actions that modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but does not by itself change this assessment.
What to consider before installing
Before installing or running this skill: 1) Inspect sync-registry.md and replace the relay IP/user and GitHub targets with servers you control—do not rely on the provided 129.211.0.193 root entry. 2) Never scp or transmit your private SSH key; prefer generating a new keypair for any server you trust and add only the public key to authorized_keys. 3) Verify you understand which local paths will be cloned/pushed (~/.claude and your project folders) and make backups. 4) Run a dry-run or manually execute the listed git/ssh commands to confirm behavior before allowing automated pushes. 5) If you cannot verify the remote relay operator, do not use this skill—using it as-is could send sensitive config and memory data to an external party.Like a lobster shell, security has layers — review code before you run it.
latestvk97197vp4jck0ge686ren9v3zs81tnbh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.