ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Autonomous Sync

v1.0.0

Use this skill when the user wants to keep their Pulse agent updated automatically, set up scheduled syncs, configure triggers for knowledge updates, use CRO...

0· 86·0 current·0 all-time
byAwassi@xisen-w

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xisen-w/autonomous-sync.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Autonomous Sync" (xisen-w/autonomous-sync) from ClawHub.
Skill page: https://clawhub.ai/xisen-w/autonomous-sync
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install autonomous-sync

ClawHub CLI

Package manager switcher

npx clawhub@latest install autonomous-sync
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly targets automating syncs to a Pulse-like API (endpoints under https://www.aicoo.io/api/v1) and that purpose matches the skill name/description. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md explicitly requires PULSE_API_KEY (and examples use PULSE_BASE). The version in SKILL.md (2.0.0) differs from registry (1.0.0). These metadata mismatches reduce trust and are incoherent with the declared purpose.
!
Instruction Scope
Instructions are generally within the scope of syncing (search, snapshot, patch, create, bulk update). But the skill instructs modifying agent configuration (.claude/settings.json hooks), adding cron jobs, and running local scripts (e.g., ./pulse-skills/scripts/sync-detector.sh or /path/to/pulse-sync.sh). Those actions change agent behavior and run arbitrary local commands — they are powerful and increase the attack surface. The SKILL.md also inconsistently refers to PULSE_BASE while prereqs named Base URL directly.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes supply-chain risk because nothing will be downloaded or written by the skill package itself.
!
Credentials
The runtime instructions require PULSE_API_KEY (Authorization: Bearer $PULSE_API_KEY) and reference a PULSE_BASE variable, but the registry lists no required environment variables and no primary credential. Requesting a bearer API key for the target service would be reasonable for this functionality, but the metadata omission is a discrepancy that could lead to unexpected credential prompts or misconfiguration.
!
Persistence & Privilege
The skill does not set always:true and allows user invocation, which is appropriate. However, it explicitly instructs the user to add persistent hooks to .claude/settings.json (PostToolUse hooks) and to schedule cron jobs or long-running /loop commands. Those steps grant persistent behavior and can let automation run unattended — appropriate for the feature but higher-privilege. Users should be aware they are being guided to modify agent-wide config and add persistent local tasks.
What to consider before installing
This skill appears to do what it says (automate syncing to a Pulse API) but there are concerning inconsistencies and persistence instructions you should review before installing: 1) The SKILL.md requires PULSE_API_KEY and references PULSE_BASE, but the registry metadata lists no required env vars — expect to provide an API key if you enable it. 2) The author suggests editing .claude/settings.json to add hooks and creating cron jobs or local scripts; back up your agent config first and review any scripts you create or run. 3) Verify and trust the API host (https://www.aicoo.io) and create a least-privilege API key limited to the actions required (search/snapshot/patch/create). 4) Ask the publisher for the missing metadata (declared env vars/primary credential and correct version) or for an install script you can audit. If you are uncomfortable giving persistent automation permission to modify agent config or run scheduled local scripts, do not enable the hooks/cron steps and instead run syncs manually or in a tightly controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk977anqqhaf2q23j85zrby93td859kz8
86downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
Awassi@xisen-w
latest
Download

Autonomous Sync — Keep Your Agent Updated

Set up automatic triggers to keep Pulse knowledge current.

Prerequisites

  • PULSE_API_KEY must be set
  • Base URL: https://www.aicoo.io/api/v1

Sync Contract (post-refactor)

Use these endpoints in automation:

  1. Search overlap: POST /api/v1/os/notes/search
  2. Deterministic grep (exact/regex + context): POST /api/v1/os/notes/grep
  3. Snapshot before edits: POST /api/v1/os/snapshots/{noteId}
  4. Edit existing note: PATCH /api/v1/os/notes/{noteId}
  5. Create new note: POST /api/v1/os/notes
  6. Reorganize with move/copy: POST /api/v1/os/notes/{id}/move, POST /api/v1/os/notes/{id}/copy
  7. Bulk updates: POST /api/v1/accumulate

Strategy 1: Rule-Based (/loop or cron)

Claude Code /loop

/loop 30m sync new decisions and project updates to Aicoo: search existing notes, snapshot before major edits, patch existing notes or create new ones.

Cron example

# daily at 9:00
0 9 * * * /path/to/pulse-sync.sh >> /tmp/pulse-sync.log 2>&1

Strategy 2: Event-Driven (hooks)

Claude hooks

Add to .claude/settings.json:

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "hooks": [
          {
            "type": "command",
            "command": "./pulse-skills/scripts/sync-detector.sh"
          }
        ]
      }
    ]
  }
}

Strategy 3: Conversation-Driven

After substantial chat sessions:

# 1) search
curl -s -X POST "$PULSE_BASE/os/notes/search" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query":"database migration strategy"}' | jq .

# 2) snapshot before overwrite
curl -s -X POST "$PULSE_BASE/os/snapshots/42" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label":"Pre-update"}' | jq .

# 3) patch
curl -s -X PATCH "$PULSE_BASE/os/notes/42" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content":"# Updated content..."}' | jq .

If no matching note exists, call POST /os/notes.

What to Sync

  • decisions
  • preferences
  • project updates
  • meeting outcomes
  • policy/constraint changes

Safety Rules

  1. Search first to avoid duplicates.
  2. Snapshot before high-impact edits.
  3. Prefer patching canonical notes over creating near-duplicates.
  4. Use accumulate for larger batches.

Comments

Loading comments...