openclaw-syncralis
ReviewAudited by ClawScan on May 13, 2026.
Overview
This skill appears to match its stated file-sharing and web-search purpose, but it can expose workspace files through Ngrok links and uses external service API keys, so users should configure it carefully.
Install only if you want an MCP gateway that can read files from a workspace, download files into it, and generate public Ngrok links. Configure a dedicated workspace, use a strong signing secret, keep API keys private, and avoid the persistent Docker/Ngrok setup unless you intend the sharing service to stay available.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A file in the configured workspace can be returned to the agent or made reachable by anyone who receives the generated link until it expires.
The tool can read workspace files or generate public download links. This is the skill's stated purpose and is scoped to the workspace with signed URLs, but it is still a sensitive file-sharing capability.
name: "share_files" ... action: { enum: ["read", "download"] } ... text: `SUCCESS. Tell the user their file is ready and output exactly this URL: ${signedLink}`Keep only intended-to-share files in the workspace, use a strong URL_SIGNING_SECRET, and review generated links before sending them to others.
The skill can use third-party service accounts or API quotas configured by the user.
The skill expects optional credentials for Ngrok, Tavily, and Brave. These credentials are disclosed and purpose-aligned for tunneling and search.
NGROK_AUTHTOKEN=add_your_ngrok_authtoken_here TAVILY_API_KEY=add_your_tavily_key_here BRAVE_API_KEY=add_your_brave_key_here
Use least-privilege/free-tier keys where possible, store them outside shared configs, and rotate them if exposed.
Search queries and shared-file access metadata may be handled by third-party services according to their terms and logs.
The artifacts disclose that search queries and public file-link delivery depend on external providers. This is expected for the skill, but it is a data-boundary consideration.
Syncralis relies on three external services... Ngrok... Tavily API... Brave Search API
Avoid sending highly sensitive queries or file links through third-party services unless that fits your privacy requirements.
If deployed this way, the file-sharing gateway and tunnel may continue running until the user stops the containers.
The Docker deployment intentionally keeps the gateway/tunnel running beyond a single tool call. This is disclosed and purpose-aligned for high availability, not hidden persistence.
run openclaw alongside Ngrok to serve the workspace volume 24/7. This guarantees your download links remain active even after the MCP process shuts down.
Use the persistent Docker setup only when needed, monitor running containers/tunnels, and stop or disable the service when file sharing is no longer required.
Running the command will remove the local plugin directory and any files stored there.
The documented hard-reset command deletes the plugin's own extension directory. It is destructive but scoped and user-directed, with no evidence of automatic execution.
rm -rf ~/.openclaw/extensions/openclaw-syncralis
Prefer the standard uninstall command first, and only run the hard-reset delete command after verifying the path is correct.