synapse
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Synapse’s P2P sharing purpose is clear, but it needs review because it can run unpinned remote model code, exposes shell-templated tools, and can merge or export agent memory through a P2P network.
Review this skill carefully before installing. Use it only for files and memory shards you are comfortable sharing over P2P, avoid assimilating unknown shards, do not use the skip-safety option casually, and stop the seeder when finished. For safer deployment, the maintainer should replace shell-templated handlers, pin or avoid remote model code, and add explicit user approval and scoping around memory export/import.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed path, tag, query, or output value could make the agent run unintended local commands or operate on unintended files.
User-controlled tool parameters are inserted directly into command strings with simple quoting. If the platform executes these handlers through a shell, crafted values containing quotes or shell metacharacters could alter the command.
"handler": "python3 {{skillDir}}/logic.py create-shard --source '{{source_db}}' --name '{{display_name}}' --tags '{{tags}}'"Use argv-style execution instead of shell strings, strictly validate paths and URLs, escape parameters safely, and require user confirmation for share, download, and memory-assimilation actions.
Running the embedding feature may execute external Python code on the user’s machine, not just load static model weights.
The embedding loader trusts remote model code from the model repository, and the provided artifacts do not show a pinned model revision, hash verification, or sandboxing.
trust_remote_code=True, # Required for nomic models
Pin the model to a reviewed revision, avoid trust_remote_code where possible, vendor reviewed model code, or clearly warn users before loading remote model code.
Private agent memory could be shared, and untrusted downloaded shards could influence future agent behavior after being assimilated.
The tool contract allows exporting agent memory and importing downloaded P2P memory into active memory, including an option to skip guardrail checks. The artifacts do not clearly bound which memory can be exported, how imported memory is retained, or when explicit user approval is required.
"create_memory_shard" ... "Exports a portion of the agent's vector database" ... "assimilate_shard" ... "integrates a downloaded memory shard into the agent's active memory" ... "skip_safety_check"
Disable autonomous memory export/import by default, require explicit user approval, restrict allowed database paths, record provenance, and remove or strongly gate the skip-safety option.
A user or agent might trust the assimilation safety scan even though malicious or manipulative content inside the downloaded memory data may not be checked by this code path.
The safety comments describe guardrail checks for malicious shard content, but the shown implementation scans shard metadata rather than the actual shard payload, which could make users overestimate the protection.
"This runs the data through local 'guardrail' checks" ... "metadata_str = json.dumps(shard.to_dict())" ... "# Scan metadata for threats"
Make the safety limitations explicit, scan the actual shard payload before assimilation, and fail closed when shard content cannot be inspected.
Search queries, embeddings, metadata, and shared files may become visible to the tracker or P2P peers depending on use.
The tracker and peer network are central to the stated purpose, but they create external data flows for embeddings, search, and selected files.
"Storage: Tracker stores embeddings (FAISS index), clients store actual files (BitTorrent)"
Only share non-sensitive files or memory shards, review the tracker you use, and understand that P2P sharing may be difficult to fully revoke once peers download content.
Files that the user chose to share may keep being seeded in the background until the daemon is stopped or the file is unshared.
A persistent seeder daemon is expected for BitTorrent sharing and stop controls are documented, but it continues operating beyond the initial command.
"Start seeder daemon (runs in background)" ... "Stop daemon"
Use list-shared regularly, stop the daemon when finished, and unshare any file that should no longer be available.
Installation and first run may execute code fetched from the internet and download a large dependency stack.
The setup path is user-directed and related to the skill’s Python dependencies, but it relies on a remote install script and automatic dependency installation.
curl -LsSf https://astral.sh/uv/install.sh | sh ... Dependencies auto-installed on first run via uv
Install uv from a trusted source, review dependencies before first run, and prefer a lockfile or reproducible installation process.