Ftp Sync
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does not show hidden data theft, but it asks for server credentials while the included script only simulates FTP/SFTP sync despite advertising real sync and backup features.
Review this carefully before installing. It appears incomplete rather than malicious: the included code does not perform real FTP/SFTP synchronization, while the documentation asks for sensitive server credentials and suggests deployment-style actions. Avoid using real passwords on the command line, use least-privilege accounts, and do not depend on it for backups or website updates unless the implementation is completed and verified.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe website files or backups were synchronized when no transfer actually happened.
The script only simulates synchronization and tells the user another library is needed, while SKILL.md advertises SFTP upload/download and incremental sync. This capability mismatch is important for a backup/deployment tool.
# 模拟同步 ... print("⚠️ 完整同步需要安装: pip install paramiko")Do not rely on this skill for real backups or deployments until the documentation and implementation match, and require clear success/failure reporting.
Passwords typed on the command line can be exposed through shell history or process listings, and root access can affect the whole server.
The skill expects server credentials in command examples, including a root user and plaintext password argument. This is expected for FTP/SFTP, but it is sensitive authority.
python3 scripts/ftp_sync.py upload ./local_folder/ --host 192.168.1.1 --user root --password xxx
Use a least-privilege account, prefer key-based authentication or a safer secret prompt, and avoid putting real passwords directly in command history.
A mistaken path or account could overwrite website files or sync the wrong local directory.
The documented workflow is a remote upload to a web server directory. That is purpose-aligned for deployment/sync, but it can modify public server content if a real sync implementation is added or used.
python3 scripts/ftp_sync.py upload ./dist/ --host example.com --user ftpuser --password pass123 --remote /var/www/html/
Use dry-run/diff first, confirm local and remote paths, and keep backups before allowing any real upload or delete operation.
To make the skill actually sync, a user may install or run additional software that was not part of the reviewed package.
The script suggests user-directed external tooling for real sync. This is not automatically executed, but the dependency/tooling needed for the advertised feature is outside the reviewed implementation.
print("⚠️ 完整同步需要安装: pip install paramiko")
print(" 或者使用系统命令: rsync -avz local/ user@host:/remote/")Install dependencies from trusted sources, pin versions where possible, and review any added sync command before running it.