Session Sync Cloud
WarnAudited by ClawScan on May 18, 2026.
Overview
This backup skill is purpose-aligned, but the visible code appears to upload sensitive memory files without the promised client-side encryption and restores cloud-provided files without safe path validation.
Review carefully before installing. Treat uploaded memory backups as plaintext unless the publisher provides real client-side encryption, use only a least-privilege bucket/prefix, avoid restoring from any bucket you do not fully trust, and test restore in a disposable workspace first.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may store sensitive conversation history and agent memory in cloud storage believing it is end-to-end encrypted when the visible code appears to store plaintext objects and plaintext manifests.
The skill claims client-side encryption and that the server never sees plaintext, but the visible upload path sends the memory file directly to S3 with only a SHA-256 metadata tag and no encryption step.
SKILL.md: "Encrypted upload — AES-256; server never sees plaintext" / scripts/run.py: "s3.upload_file(Filename=str(MEMORY_DIR / rel_path), Bucket=bucket, Key=s3_key, ExtraArgs={\"Metadata\": {\"sha256\": meta[\"hash\"]}})"Implement audited client-side encryption for file contents and manifests before upload, or remove the encryption claims and clearly warn users that backups are plaintext in their bucket.
Private conversation context, working notes, and persistent agent state could be copied to a cloud bucket wholesale, including files the user did not intend to back up.
The artifacts explicitly target persistent agent memory and scan every file under the memory directory, with no exclusion support and no visible client-side encryption.
SKILL.md: "conversation history, WAL entries, working buffer, and PARA notes" and "Currently backs up entire `memory/`." / scripts/run.py: "for p in MEMORY_DIR.rglob(\"*\")"
Add explicit path allowlists/exclusions, secret filtering, clear retention behavior, and user-visible confirmation before first broad backup of memory data.
A corrupted or malicious manifest in the configured bucket could overwrite memory files or potentially write outside the memory directory, poisoning future agent context or damaging workspace files.
Restore trusts the cloud manifest for both local file paths and S3 object keys, then writes the downloaded content without checking for absolute paths, `..` traversal, or hash integrity.
for rel_path, meta in manifest.get("files", {}).items(): target = MEMORY_DIR / rel_path ... key = prefix + meta["s3_key"] ... with open(target, "wb") as f: f.write(content)Validate restored paths with a resolved-path containment check, reject absolute paths and traversal, verify content hashes before writing, and create a local backup or preview before restore.
Users may not notice before installation that they need to place cloud storage access keys in a workspace config file.
S3-compatible credentials are expected for this backup purpose, but the registry metadata does not declare a credential requirement.
SKILL.md: "Access key + secret" and config fields "key_id" / "secret_key"; metadata: "Primary credential: none" and "Env var declarations: none"
Declare the credential requirement in metadata and advise users to use a least-privilege key limited to the intended bucket and prefix.
A user may need to manually install an unpinned Python package for the skill to work.
The script depends on boto3 but the package has no install spec or pinned dependency declaration.
scripts/run.py: "import boto3" and "boto3 not installed. Run: pip install boto3" / install spec: "No install spec — this is an instruction-only skill."
Provide a reviewed install specification with pinned dependency versions and hashes, or document a safe installation process.
After setup, memory data could be uploaded repeatedly in the background according to the skill's described schedule.
The skill describes recurring automatic backups, which is purpose-aligned for sync but means data may be uploaded without a manual command each time once configured.
"Every 15 minutes while agent is running" and "After every `/wrap_up`"
Require explicit opt-in for scheduling, provide an easy pause/disable control, and show the exact next backup time and scope.