v0.2.0

synapse

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This skill needs Review because it intentionally shares data over P2P and also includes high-impact agent-memory transfer, persistent background activity, remote model-code loading, and unsafe command-handler patterns.

GuidanceInstall only if you intentionally want an agent to share files over BitTorrent. Use a dedicated non-private data directory, do not share confidential documents or agent memory, require explicit approval for share/download/assimilate actions, audit the remote model/dependencies, and stop the seeder daemon when finished.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceMediumStatusConcern

skill.json

"handler": "python3 {{skillDir}}/logic.py download --magnet '{{magnet_link}}' --output '{{output_dir}}'"

Tool parameters are interpolated directly into a shell-like command string; similar handlers use source_db, display_name, shard_path, query, and trackers. Crafted values containing shell metacharacters or quotes could alter the command if the handler is executed by a shell.

User impactA malicious or malformed parameter could cause the agent to run unintended local commands rather than only the intended Synapse action.

RecommendationUse argument-array execution or robust escaping, validate all path and URL parameters, and require explicit user approval before share, download, assimilate, or delete-like operations.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

src/embeddings.py

trust_remote_code=True,  # Required for nomic models

The embedder loads tokenizer/model code with trust_remote_code=True, allowing code from the referenced model repository to run locally when embeddings are generated.

User impactUsing the embedding feature may execute third-party model code on the user's machine, beyond ordinary data processing.

RecommendationPin and audit the exact model revision, avoid trust_remote_code where possible, document this behavior clearly, and run the skill in a constrained environment.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

HEARTBEAT.md

"Network Maintenance (Every 6 hours)" ... "Re-announce high-value memory shards with low seed count" ... "Prune completed downloads older than 7 days"

The artifact describes recurring background network and file-maintenance actions, including continued announcement of shared shards and automatic pruning.

User impactThe skill may keep participating in the network or changing local download state after the initial user task unless the daemon and heartbeat behavior are controlled.

RecommendationMake recurring tasks opt-in, show active seeds and scheduled jobs clearly, provide a reliable stop/disable path, and require approval before re-announcing or pruning user files.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

curl -LsSf https://astral.sh/uv/install.sh | sh ... "Dependencies auto-installed on first run via uv"

The setup path relies on a remote installer and first-run dependency fetching. This is common for Python tooling and purpose-aligned, but users should notice the supply-chain dependency.

User impactInstallation and first use may download and run code from external package sources.

RecommendationInstall uv from a trusted source, review pinned dependencies, and prefer reproducible lockfiles or a vetted package environment.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

skill.json

"Exports a portion of the agent's vector database as a shareable MemoryShard" ... "integrates a downloaded memory shard into the agent's active memory" ... "skip_safety_check"

The tool manifest explicitly supports exporting agent memory/vector databases and importing downloaded shards into active memory, including a safety-bypass parameter.

User impactPrivate agent memory could be shared to the network, and untrusted downloaded content could be added to persistent agent context.

RecommendationDo not expose private vector databases by default; require per-action confirmation, restrict allowed paths, disable safety bypasses for normal use, and verify signatures and safety scans before assimilation.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

README.md

"Client generates query embedding → Tracker computes cosine similarity" ... "Tracker stores embeddings (FAISS index), clients store actual files (BitTorrent)"

The architecture sends query/file embeddings and metadata to tracker infrastructure while files are exchanged through BitTorrent peers.

User impactSearch queries, semantic representations of shared content, file names, tags, and availability may become visible to tracker operators or peers.

RecommendationOnly share non-sensitive files, use a trusted tracker, avoid private queries/content, and document exactly what metadata leaves the machine.