ClawHub

Clawdbot Sync

Security checks across malware telemetry and agentic risk

Overview

This sync skill does what it claims, but it needs review because it can copy and overwrite agent memory/profile data across SSH peers while weakening SSH peer verification.

Install only if you intend to sync agent memory/profile state between machines you control. Use a dedicated least-privilege SSH key/account, pin or verify SSH host keys, run /sync diff and keep backups before push/pull/sync, and avoid enabling auto-sync or syncing skills until you have tested with non-sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The connection check disables SSH host key verification with StrictHostKeyChecking=no, which allows man-in-the-middle interception or silent trust of an attacker-controlled host. In a sync tool that moves memory and user state between agents, this can redirect synchronization to an untrusted system and expose or poison synchronized data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description includes broad trigger phrases such as 'sync with mac', 'update other clawdbot', and 'share this with my other bot', which can plausibly match ordinary user conversation and invoke a high-risk capability. Because this skill performs networked synchronization of memory, preferences, and optionally skills, accidental or overly eager activation could cause unintended data transfer to another machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and surrounding user-facing content do not prominently warn that synchronization may transmit memory contents, user profile data, and optionally installed skills to other machines. In this context, the synced items explicitly include 'memory/', 'MEMORY.md', and 'USER.md', so insufficient disclosure can lead users to trigger exfiltration of sensitive personal or operational data without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The push path uses rsync with --delete, which can remove files on the remote side to mirror the local workspace without any confirmation, dry-run gate, or clear disclosure. In a multi-agent sync context, a mistaken peer, path misconfiguration, or compromised local state could irreversibly delete remote memory or configuration data.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The pull operation writes remote content directly into the local workspace, replacing local files without a warning, approval step, or integrity verification of the source. Because the workspace contains agent memory and behavior-affecting files, a remote peer can overwrite trusted local state and influence future agent behavior.

Missing User Warnings

High
Confidence
96% confidence
Finding
The bidirectional sync modifies both local and remote state automatically based on timestamps, with no review, conflict resolution, or user-facing warning. In this skill's context, synchronized files include agent memory and user-related documents, so a malicious or compromised peer can both exfiltrate sensitive state and propagate poisoned content across instances.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This finding reflects the same unsafe SSH behavior in user-impact terms: undisclosed network connections are made with host key checking disabled, so the tool may trust an attacker-controlled endpoint without warning. Given that the skill synchronizes sensitive memory and state, this materially increases the risk of interception, tampering, and unauthorized replication.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal