clawdbot-sync

This skill is a plausible and coherent synchronization tool: its declared purpose (syncing workspace memory and skills between Clawdbot instances) aligns with requested capabilities (ssh, rsync). There is no direct evidence of embedded malware, obfuscated code, or external download-and-execute patterns. The primary risk is operational: if a user or agent adds a malicious or compromised peer (intentionally or by mistake), the skill will transmit potentially sensitive workspace data to that peer. Auto-sync increases this risk by enabling repeated transfers without per-sync confirmation. Mitigations: restrict what is stored in the workspace (avoid private keys and secrets), validate and pin peer host keys, require manual approval for new peers, avoid enabling auto-sync for untrusted networks, and add allowlists/denylist for paths to sync. Overall the content appears functionally appropriate but carries moderate security risk because of the sensitive data it moves and the potential for misconfiguration or malicious peers.