clawdbot-sync
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Vulnerability in
scripts/handler.sh. User-suppliedremote_pathfrom the/sync addcommand is used in the stringssh ... "mkdir -p $remote_path/$sync_path". This allows execution of arbitrary commands on the remote system via shell metacharacters in the path. - [COMMAND_EXECUTION]: Weak security configuration in
scripts/handler.sh. Thesshutility is invoked with-o StrictHostKeyChecking=no, which disables verification of the remote host's identity and exposes the connection to man-in-the-middle attacks. - [DATA_EXFILTRATION]: The skill is designed to move sensitive files (
memory/,MEMORY.md,USER.md) to external network addresses. While this is the primary purpose (synchronization), the capability can be misused to send sensitive agent data to unauthorized endpoints. - [EXTERNAL_DOWNLOADS]: The
references/setup.mdfile includes instructions to download and execute a script from Tailscale's official domain using acurl | shpipe. - [PROMPT_INJECTION]: The skill exposes an indirect prompt injection surface (Category 8).
- Ingestion points: Files are pulled from remote peers via
rsyncinto the local$WORKSPACEinscripts/handler.sh. - Boundary markers: None; the files are synchronized as raw content.
- Capability inventory: The script uses
ssh,rsync, andmkdir. - Sanitization: No validation of the content synchronized from remote peers is performed.
Recommendations
- AI detected serious security threats
Audit Metadata