registry  /  @alfe.ai/openclaw-sync  /  0.2.5

@alfe.ai/openclaw-sync@0.2.5

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is a first-party OpenClaw sync extension that can upload, download, delete, and restore files in the configured agent workspace when activated. The behavior is sensitive but package-aligned; no concrete malicious payload execution or credential exfiltration chain was found.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
OpenClaw plugin startup, agent lifecycle hooks, gateway RPC sync.now, WebSocket relay notification, or explicit alfesync CLI command
Impact
Workspace contents may be synced to Alfe/S3-backed storage and remote cloud state may overwrite or delete local files with conflict handling.
Mechanism
agent workspace backup/sync extension with file watcher, presigned URL transfer, and relay-driven pulls/deletes
Rationale
Source inspection supports a warning for first-party agent extension lifecycle risk and broad sync capability, not a malicious block. The scanner's remote decode/execute and child_process implications were not confirmed in the inspected source entrypoints.
Evidence
package.jsonopenclaw.plugin.jsondist/index.jsdist/plugin.jsdist/plugin2.jsdist/sync-engine.jsdist/cli/index.js~/.alfe/sync/manifest.json<workspace>/.alfesyncignore<workspace>/shared/<workspace>/RECOVERY-*.md<workspace>/*.conflict-*
Network endpoints4
wss://sync.alfe.ai/wswss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/ws

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates package-owned OpenClaw plugin onStartup and runs alfesync hooks on agent start/stop/compaction.
  • dist/plugin2.js activate() starts realtime watcher, scheduled sync, daemon IPC, and WebSocket relay using Alfe config API key.
  • dist/sync-engine.js uploads workspace files to presigned URLs and downloads/restores remote files into the configured workspace.
  • dist/sync-engine.js writes sync state under ~/.alfe/sync/manifest.json and recovery/conflict files in the workspace.
Evidence against
  • package.json has no npm preinstall/install/postinstall lifecycle hooks.
  • dist/plugin2.js and dist/sync-engine.js contain package-aligned sync logic, not remote asset decode/execute.
  • No eval, Function, child_process execution, native binary loading, or obfuscated staged payload found in inspected entrypoints.
  • Default ignores include secrets and extension/plugin/npm directories, reducing broad agent-control-surface sync.
  • OpenClaw mutation is via first-party plugin metadata and runtime activation, not unconsented npm install-time mutation.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 162 KB of source

Source & flagged code

3 flagged · loading source
dist/plugin2.jsView file
108}); L109: const response = await fetch(downloadUrl); L110: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L112: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L113: const buffer = Buffer.from(await response.arrayBuffer()); L114: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L297: */ L298: const pkg = createRequire(import.meta.url)("../package.json"); L299: const SYNC_CAPABILITIES = [ ... L473: syncRelayReconnectAttempt = 0; L474: ws.send(JSON.stringify({ L475: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L108
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg
dist/plugin2.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @alfe.ai/openclaw-sync@0.2.1 matchedIdentity = npm:QGFsZmUuYWkvb3BlbmNsYXctc3luYw:0.2.1 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/plugin2.cjsView on unpkg

Findings

3 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
CriticalPrevious Version Dangerous Deltadist/plugin2.cjs
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License