Multi-Device Sync via GitHub

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GitHub sync tool, but it needs review because it can continuously sync sensitive OpenClaw files and behavior settings to GitHub.

Install only if you intentionally want OpenClaw workspace state synchronized through a private, dedicated GitHub repository. Review the installer locally instead of using curl|bash, verify exactly which files will be synced, and avoid syncing SOUL.md, skills/, MEMORY.md, or memory/ unless you are comfortable exposing and propagating that context across devices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documents shell commands, package installation, git operations, and daemon management, but there is no declared permissions model to warn users or enforcement boundary for those capabilities. That creates a transparency and consent problem: users may invoke a skill that can modify files, install software, and establish persistent background behavior without an explicit permission declaration.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is synchronization, but the behavior also includes fetching/installing code from an external repository, possibly installing system packages with sudo or Homebrew, and writing notification artifacts. Undisclosed software installation, privilege-requiring dependency setup, and extra local side effects materially expand the trust boundary and can lead to unexpected code execution or system modification.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The documentation says auto-push is disabled by default, but the shown configuration enables it. This contradiction can cause users to believe data will remain local when in fact edits may be uploaded automatically, increasing the risk of unintended disclosure of sensitive workspace content.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The security section claims only configured files are committed, but the documented flow uses `git add -A`, which stages every change in the repository. In a sync repo that may contain backups, temporary files, secrets, or conflict artifacts, this can result in over-collection and unintended exfiltration to GitHub.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The repeated Security & Safety section repeats the same contradictory statement about auto-push defaults, reinforcing a misleading safety claim. Repetition of incorrect safety information increases the chance users will trust a dangerous default and expose private data unintentionally.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The installer presents automatic push as recommended, but the case statement sets AUTO_PUSH="false" for both yes and no inputs. This creates a deceptive configuration state where users may believe real-time synchronization is enabled when it is not, which can lead to stale backups, missed replication, and false assumptions about data safety across devices.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The code claims it may start only a pull daemon when auto-push is disabled, but both branches invoke the same sync-daemon start command. If the daemon performs push monitoring by default, users who thought automatic push was disabled may unintentionally upload local changes, including sensitive files, to the remote repository.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The quick-start path encourages immediate installation without clearly warning that setup modifies local workspace structure via symlinks and may start ongoing synchronization behavior. Users may consent to a convenience install without understanding that edits can later propagate automatically to a remote repository.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The syncable files list includes highly sensitive data sources such as memory, behavior rules, and user profile information, but it does not explicitly warn that these may be uploaded to GitHub and replicated across devices. Given the nature of OpenClaw workspace data, this creates a meaningful risk of privacy loss, credential leakage, or behavioral prompt disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The installer automatically performs privileged package installation using sudo apt-get without an explicit confirmation step immediately before making system changes. Although this is common in setup scripts, it is risky because users may run the installer without realizing it will modify the system as root and pull packages from network repositories.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The installer clones remote Git repositories and initializes or updates local repositories under the user's home directory without a strong upfront warning about network access and filesystem modifications. In a security-sensitive environment, this matters because users may supply a malicious repo URL or unintentionally overwrite expected local state while trusting the installer flow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script unconditionally removes the local scripts path and replaces it with a symlink, without warning or checking whether that path contains user data or an expected directory. This can silently break existing local tooling or destroy files if the target path was previously populated for another purpose.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide instructs users to run `rm -rf skills/some-skill/.git` without an explicit warning or verification step. Although the target is intended to be a nested Git metadata directory, recursive force deletion is destructive and can remove the wrong path if copied, edited, or expanded incorrectly, especially in a troubleshooting context where users may act quickly.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The manual recovery section recommends `git reset --hard origin/main`, which irreversibly discards uncommitted local changes and rewrites the working tree to match the remote. While a backup step is included earlier, the guide does not explicitly warn that this command will destroy current local state in the repo and may cause data loss if the backup is incomplete or skipped.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sets up continuous background syncing that automatically pulls and pushes repository changes, but it does not present any explicit runtime warning or consent gate before starting persistent file monitoring and network synchronization. In a multi-device sync skill handling workspace data, this can unintentionally expose sensitive files, overwrite local work, or surprise users with ongoing repository modification behavior.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script writes sync event details, including device name and arbitrary message content, into local notification files under ~/.openclaw/notifications without any access control checks or minimization of sensitive content. In this skill context, messages may include filenames, conflict details, or error text that can leak workspace metadata to other local users or processes if directory/file permissions are too broad.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script executes the value of the EDITOR environment variable via `xargs $EDITOR_CMD`, which treats that value as a command without validation or any warning to the user. Because environment variables are attacker-influenced in some invocation contexts, a malicious EDITOR value can cause arbitrary command execution when the user selects manual merge, and the use of `xargs` also makes argument handling unsafe for filenames containing special characters or whitespace.

Session Persistence

Medium

Category: Rogue Agent
Content: # 1. Clone skill git clone https://github.com/RegulusZ/multi-device-sync-github.git ~/openclaw-skills/multi-device-sync-github # 2. Clone/create sync repo git clone git@github.com:YOURNAME/openclaw_sync.git ~/openclaw-sync # 3. Initialize
Confidence: 83% confidence
Finding: create sync repo git clone git@github.com:YOURNAME/openclaw_sync.git ~/openclaw-sync # 3. Initialize cd ~/openclaw-sync ~/openclaw-skills/multi-device-sync-github/scripts/sync-init.sh \ --device-na

Session Persistence

Medium

Category: Rogue Agent
Content: ### Permissions The skill requires: - Read/write access to `~/.openclaw/workspace/` - Git push access to your sync repository - No network access beyond GitHub
Confidence: 82% confidence
Finding: write access to `~/.openclaw/workspace/` - Git push access to your sync repository - No network access beyond GitHub ### Enabling Auto-Push After reviewing the behavior, enable auto-push: ```bash #

External Script Fetching

Low

Category: Supply Chain
Content: ### Interactive Installation (Recommended) ```bash curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash ``` The installer will guide you through:
Confidence: 97% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash

External Script Fetching

Low

Category: Supply Chain
Content: ### Option A: Interactive ```bash curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash # Select "Add to existing sync" ```
Confidence: 97% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ### Interactive Installation (Recommended) ```bash curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash ``` The installer will guide you through:
Confidence: 98% confidence
Finding: | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ### Option A: Interactive ```bash curl -fsSL https://raw.githubusercontent.com/RegulusZ/multi-device-sync-github/main/install.sh | bash # Select "Add to existing sync" ```
Confidence: 98% confidence
Finding: | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal