Context Sync
AdvisoryAudited by VirusTotal on Apr 21, 2026.
Overview
Type: OpenClaw Skill Name: context-sync Version: 1.0.0 The context-sync skill is a legitimate tool designed to synchronize local files and notes with the Pulse platform (aicoo.io). The skill's instructions in SKILL.md and the API reference in reference/API.md clearly outline its functionality, which includes managing folders, searching notes, and performing bulk uploads via the /accumulate endpoint. While the skill involves uploading local data to a remote server, this behavior is transparently documented and aligned with its stated purpose of providing context to a shared agent. No indicators of malicious intent, such as unauthorized data theft, backdoors, or obfuscation, were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or overly broad request could change or remove knowledge in the user's Pulse workspace.
The skill documents direct API operations that can create, edit, move, copy, bulk upload, and delete Pulse context. This is expected for a context-sync skill, but these are mutable operations.
Create or update notes ... PATCH /api/v1/os/notes/42 ... Step 7: Delete files ... -d '{"delete":[{"path":"Technical/old-doc.md"}]}'Review the exact files, note IDs, and paths before bulk uploads, edits, or deletes; use snapshots before major edits.
Anyone or any agent with access to the API key may be able to read or modify the user's Pulse context according to the key's privileges.
The skill requires a bearer API key to access and mutate the user's Pulse workspace. This credential use is disclosed and expected for the service integration.
`PULSE_API_KEY` environment variable must be set ... Authorization: Bearer $PULSE_API_KEY
Store the key securely, use the least-privileged Pulse key available, and rotate it if it may have been exposed.
Uploaded files or edited memory may influence future agent behavior and could expose private information if the wrong content is synced.
The skill intentionally persists user-provided content into a shared agent's knowledge and identity/policy memory. This is purpose-aligned, but persistent context can carry sensitive data or misleading instructions forward.
sync local files, notes, and context into Pulse so their shared agent has the right knowledge ... Use `/accumulate` to manage: `memory/self/COO.md`, `memory/self/USER.md`, `memory/self/POLICY.md`
Sync only intended files, exclude secrets and private data, and review identity or policy memory updates before applying them.