registry  /  @alfe.ai/openclaw-sync  /  0.1.10

@alfe.ai/openclaw-sync@0.1.10

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 5d ago · by lpm-firewall-ai

The package is an OpenClaw workspace sync plugin/CLI that uploads and restores workspace files through Alfe APIs and presigned URLs. No confirmed malware or decoded remote execution was found, but remote/path-controlled restore and relay delete paths lack clear containment in core download/delete flows.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
OpenClaw plugin startup/hooks, realtime watcher events, sync relay notifications, or user invoking alfesync pull/restore/push.
Impact
Potential workspace data exposure by design and path traversal/destructive overwrite risk if the trusted sync API or relay supplies malicious file paths.
Mechanism
agent workspace cloud sync with remote-directed file write/delete paths
Attack narrative
On OpenClaw startup the plugin can register a service, start a watcher, push changed workspace files to Alfe/S3, pull remote files back, and process WebSocket relay notifications. The observed behavior matches the package purpose, but several remote-file operations write or delete paths formed with join(workspacePath, remotePath) without robust containment checks, creating a serious trust-boundary risk rather than confirmed malicious intent.
Rationale
Static source inspection does not confirm malicious behavior or remote code execution; the risky primitives are package-aligned sync features. However automatic agent-workspace sync plus remote-directed write/delete paths without consistent traversal protection warrants a warning instead of clean.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin2.jsdist/sync-engine.jsdist/cli/index.jsdist/index.js<workspacePath>/**<workspacePath>/shared/**~/.alfe/sync/manifest.json
Network endpoints4
wss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/wswss://sync.alfe.ai/ws

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates onStartup and hooks agent start/stop/compaction to pull/push workspace data
  • dist/plugin2.js activate() starts realtime watcher and performs initial syncEngine.push() when configured
  • dist/sync-engine.js uploads changed workspace files via presigned PUT and downloads remote files to disk
  • dist/sync-engine.js and dist/cli/index.js join remote file paths to workspacePath without containment checks in restore/download paths
  • dist/plugin2.js relay FILE_CHANGED deleted events can call removeLocalFile(filePath) from WebSocket messages
Evidence against
  • No npm install/postinstall lifecycle scripts in package.json
  • No eval/Function/vm or remote asset decode/execute found; scanner critical finding appears to confuse downloads with execution
  • Network behavior is aligned with declared Alfe/OpenClaw sync and backup functionality
  • Default ignores exclude .env, .git, node_modules, caches, logs, and common build artifacts
  • Shared sync code includes containment checks for shared scope downloads
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 125 KB of source

Source & flagged code

2 flagged · loading source
dist/plugin2.jsView file
107}); L108: const response = await fetch(downloadUrl); L109: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L111: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L112: const buffer = Buffer.from(await response.arrayBuffer()); L113: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L296: */ L297: const pkg = createRequire(import.meta.url)("../package.json"); L298: const SYNC_CAPABILITIES = [ ... L472: syncRelayReconnectAttempt = 0; L473: ws.send(JSON.stringify({ L474: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L107
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License