ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Context Sync

v1.0.0

Use this skill when the user wants to upload files to Pulse, sync context, add knowledge to their agent, update what their agent knows, push local files to P...

0· 85·0 current·0 all-time
byAwassi@xisen-w

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xisen-w/context-sync.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Context Sync" (xisen-w/context-sync) from ClawHub.
Skill page: https://clawhub.ai/xisen-w/context-sync
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install context-sync

ClawHub CLI

Package manager switcher

npx clawhub@latest install context-sync
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a file-sync/upload capability to Pulse and the included examples and API reference match that purpose. However the package/registry metadata lists no required environment variables or primary credential while the runtime instructions explicitly require PULSE_API_KEY and a base URL (https://www.aicoo.io). The missing declaration in registry metadata is an incoherence — the skill will need a credential but the registry doesn't advertise it.
Instruction Scope
The instructions explicitly tell the agent to read local directories and file contents and to upload them (POST /accumulate), and show example flows that scan ./docs and upload all files. That behavior is consistent with the skill's purpose. However it is broad in scope (bulk scanning & upload, identity files under memory/self/, link policy editing) and will transmit local content to an external endpoint, so users must be aware of potential sensitive-data exposure.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it does not write code to disk or pull external binaries. From an install-mechanism perspective it's low risk, but runtime behavior (network uploads) remains a concern.
!
Credentials
The SKILL.md requires a PULSE_API_KEY Authorization header to call the aicoo.io API — that is proportionate to a service that uploads context. The concern is that the registry metadata did not declare any required env vars or primary credential, so the skill's required credential is not reflected in the manifest. Also the skill invites managing identity files (memory/self/*) which could result in uploading sensitive identity/policy documents; users should confirm the key's scope and trustworthiness of the endpoint.
Persistence & Privilege
always is false, there is no install step, and the skill does not request persistent platform-level privileges. Autonomous invocation is allowed (default) but not sufficient alone to upgrade risk; combined with the upload behavior and missing manifest declarations this increases the need for caution but does not itself indicate elevated privilege requirements.
What to consider before installing
This skill will read local files and upload them to https://www.aicoo.io using an Authorization: Bearer <PULSE_API_KEY>. Before installing: (1) confirm the registry metadata is updated to declare PULSE_API_KEY and review who operates the skill and the aicoo.io service (no homepage/source is provided); (2) only use a credential with the minimum scope and be ready to rotate/revoke it if needed; (3) avoid syncing sensitive files (secrets, private keys, PII) until you trust the endpoint and owner; (4) test with a small non-sensitive folder to validate behavior; and (5) ask the publisher for a homepage, source code, and clarification about retention/privacy of uploaded content. The main concrete mismatch is the missing required env var in the registry manifest — that should be corrected before wider use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bs63f3qn335efh3m9sh8b4s859v8c
85downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
Awassi@xisen-w
latest
Download

Context Sync

You help users sync local files, notes, and context into Pulse so their shared agent has the right knowledge to represent them.

Prerequisites

  • PULSE_API_KEY environment variable must be set
  • Base URL: https://www.aicoo.io/api/v1

API Model

  • Use /api/v1/os/* for workspace-native operations (notes/folders/snapshots/memory/todos/network/share)
  • Use /api/v1/tools only for non-OS tools (calendar/email/web/messaging/quality/MCP)

Core Workflow

Step 1: Check current state

curl -s -H "Authorization: Bearer $PULSE_API_KEY" \
  "https://www.aicoo.io/api/v1/os/status" | jq .

Step 2: Browse workspace

# folders
curl -s -H "Authorization: Bearer $PULSE_API_KEY" \
  "https://www.aicoo.io/api/v1/os/folders" | jq .

# notes in folder
curl -s -H "Authorization: Bearer $PULSE_API_KEY" \
  "https://www.aicoo.io/api/v1/os/notes?folderId=5&limit=20" | jq .

# note content
curl -s -H "Authorization: Bearer $PULSE_API_KEY" \
  "https://www.aicoo.io/api/v1/os/notes/42" | jq .

Step 3: Search existing notes first

curl -s -X POST "https://www.aicoo.io/api/v1/os/notes/search" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query":"project roadmap"}' | jq .

# deterministic grep (regex/literal + context lines)
curl -s -X POST "https://www.aicoo.io/api/v1/os/notes/grep" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"pattern":"roadmap|timeline","mode":"regex","caseSensitive":false,"contextBefore":3,"contextAfter":3}' | jq .

Step 4: Create or update notes

# create
curl -s -X POST "https://www.aicoo.io/api/v1/os/notes" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"title":"Project Roadmap Q2","content":"# Q2 Roadmap\n\n## Goals\n- Launch v2 API"}' | jq .

# snapshot before edit
curl -s -X POST "https://www.aicoo.io/api/v1/os/snapshots/42" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label":"Pre-edit"}' | jq .

# edit
curl -s -X PATCH "https://www.aicoo.io/api/v1/os/notes/42" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content":"# Updated Roadmap\n\n..."}' | jq .

# move (mv)
curl -s -X POST "https://www.aicoo.io/api/v1/os/notes/42/move" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"folderName":"Technical"}' | jq .

# copy (cp)
curl -s -X POST "https://www.aicoo.io/api/v1/os/notes/42/copy" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"folderName":"Archive"}' | jq .

Step 5: Bulk file sync

curl -s -X POST "https://www.aicoo.io/api/v1/accumulate" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "files": [
      {"path":"Technical/architecture.md","content":"# Architecture\n\n..."},
      {"path":"General/team-info.md","content":"# Team\n\n..."}
    ]
  }' | jq .

Step 6: Manage folders

# list
curl -s -H "Authorization: Bearer $PULSE_API_KEY" \
  "https://www.aicoo.io/api/v1/os/folders" | jq .

# create
curl -s -X POST "https://www.aicoo.io/api/v1/os/folders" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"Investor Materials"}' | jq .

Step 7: Delete files

curl -s -X POST "https://www.aicoo.io/api/v1/accumulate" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"delete":[{"path":"Technical/old-doc.md"}]}' | jq .

Identity Files (memory/self/)

Use /accumulate to manage:

  • memory/self/COO.md
  • memory/self/USER.md
  • memory/self/POLICY.md

Links Folder Policy (links/)

To customize per-link behavior, edit link notes in links/:

# find link note
curl -s -X POST "https://www.aicoo.io/api/v1/os/notes/search" \
  -H "Authorization: Bearer $PULSE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query":"For-Investors"}' | jq .

Then patch that note via PATCH /api/v1/os/notes/{id}.

When to Use What

ScenarioEndpoint
Browse foldersGET /os/folders
List notes in folderGET /os/notes?folderId=...
Search notesPOST /os/notes/search
Grep notes (exact/regex + context)POST /os/notes/grep
Read noteGET /os/notes/{id}
Create notePOST /os/notes
Edit notePATCH /os/notes/{id}
Move notePOST /os/notes/{id}/move
Copy notePOST /os/notes/{id}/copy
Snapshot save/list/restore/os/snapshots/{noteId} + /restore
Bulk upload/deletePOST /accumulate

Best Practices

  1. Search before creating to avoid duplicates.
  2. Snapshot before major edits.
  3. Use /accumulate for multi-file sync.
  4. Keep identity and link policy files up to date.

Comments

Loading comments...