Context Sync
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or overly broad request could change or remove knowledge in the user's Pulse workspace.
The skill documents direct API operations that can create, edit, move, copy, bulk upload, and delete Pulse context. This is expected for a context-sync skill, but these are mutable operations.
Create or update notes ... PATCH /api/v1/os/notes/42 ... Step 7: Delete files ... -d '{"delete":[{"path":"Technical/old-doc.md"}]}'Review the exact files, note IDs, and paths before bulk uploads, edits, or deletes; use snapshots before major edits.
Anyone or any agent with access to the API key may be able to read or modify the user's Pulse context according to the key's privileges.
The skill requires a bearer API key to access and mutate the user's Pulse workspace. This credential use is disclosed and expected for the service integration.
`PULSE_API_KEY` environment variable must be set ... Authorization: Bearer $PULSE_API_KEY
Store the key securely, use the least-privileged Pulse key available, and rotate it if it may have been exposed.
Uploaded files or edited memory may influence future agent behavior and could expose private information if the wrong content is synced.
The skill intentionally persists user-provided content into a shared agent's knowledge and identity/policy memory. This is purpose-aligned, but persistent context can carry sensitive data or misleading instructions forward.
sync local files, notes, and context into Pulse so their shared agent has the right knowledge ... Use `/accumulate` to manage: `memory/self/COO.md`, `memory/self/USER.md`, `memory/self/POLICY.md`
Sync only intended files, exclude secrets and private data, and review identity or policy memory updates before applying them.