ClawHub
Back to skill
v0.4.4

Claw Drive

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:58 AM.

Analysis

Claw Drive is a coherent personal-file skill, but its optional Google Drive sync can persistently upload the whole local Claw Drive except configured excludes, so users should review the privacy scope carefully.

GuidanceUse this skill only if you are comfortable with an AI-managed local file index. Before enabling Google Drive sync, inspect `.sync-config`, exclude any sensitive categories such as finance, medical, insurance, contracts, and receipts if desired, and confirm the background sync daemon is stopped when not needed.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents
SeverityLowConfidenceHighStatusNote
lib/sync.sh
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>

`sync start` writes a launchd plist that runs at login and is kept alive, so sync behavior continues in the background until the user stops it.

User impactAfter enabling sync, files can continue syncing automatically on future changes and logins.
RecommendationUse `claw-drive sync status` to check whether it is running and `claw-drive sync stop` when you no longer want background sync.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
install spec
brew | formula: dissaozw/tap/claw-drive | creates binaries: claw-drive

The skill relies on an externally installed Homebrew CLI for its core operations. That is normal for this design, but the CLI has high-impact access to personal files and optional sync.

User impactInstalling the formula gives the CLI authority to copy, index, delete, and sync files managed by Claw Drive.
RecommendationVerify the Homebrew tap and installed binary source before using it with private documents.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
lib/sync.sh
rclone config create gdrive drive config_is_local=false config_token="$token"

Optional Google Drive sync creates an rclone remote using an OAuth token. This is expected for cloud sync, but it grants delegated access to the selected Google Drive account.

User impactThe configured rclone remote can access the Google Drive account authorized during setup.
RecommendationAuthorize only the intended account, review `~/.config/rclone/rclone.conf`, and remove the `gdrive` remote if you stop using the skill.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
lib/sync.sh
rclone sync "$CLAW_DRIVE_DIR" "$remote" "${exclude_args[@]}" ...
exclude:
  - identity/
  - .hashes

The sync code uploads the entire local Claw Drive directory to the configured rclone remote except configured excludes; the default config excludes `identity/` and `.hashes`, but not other potentially sensitive categories such as finance, medical, insurance, receipts, or contracts.

User impactIf Google Drive sync is enabled, more personal files may be uploaded to the cloud than a user expects unless they carefully configure exclusions.
RecommendationBefore running `claw-drive sync start` or `sync push`, review `~/claw-drive/.sync-config` and add excludes for any categories or files that should remain local-only.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Extracted content enters the conversation transcript ... logged permanently to `.jsonl` files. ... Descriptions in INDEX.jsonl are also persistent.

The skill explicitly stores searchable descriptions and warns that content read into the conversation becomes persistent local transcript data.

User impactSensitive details included in file descriptions or read into the chat may remain searchable or logged locally.
RecommendationOnly allow content reading for files you are comfortable indexing, and keep descriptions redacted for sensitive documents.