registry  /  @alfe.ai/openclaw-sync  /  0.1.11

@alfe.ai/openclaw-sync@0.1.11

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package is an OpenClaw sync plugin/CLI that can upload, download, overwrite, and delete agent workspace files after activation or CLI use. The main unresolved risk is remote path handling in private sync/restore paths, not evidence of intentional malware.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
OpenClaw plugin startup/hooks or user running alfesync pull/restore/realtime sync
Impact
Remote manifest or restore entries could write outside the workspace if upstream data is malicious or compromised; normal operation exfiltrates selected workspace files to Alfe/S3 as documented.
Mechanism
remote-controlled workspace sync with insufficient private path containment
Attack narrative
On activation or lifecycle hooks, the plugin resolves Alfe credentials, syncs the configured workspace, connects to an Alfe relay, and responds to remote file notifications by pulling or deleting files. This is consistent with the package purpose, but private sync and restore paths do not validate that remote paths stay inside workspacePath, creating a real path traversal risk if remote state is attacker-controlled.
Rationale
Static inspection does not confirm malicious payload execution or hidden install-time behavior; the scanner's decode/execute claim was not supported by source. The package should be warned for dangerous agent-workspace sync behavior and path containment gaps, not publish-blocked as malware.
Evidence
package.jsonopenclaw.plugin.jsonREADME.mddist/plugin.jsdist/plugin2.jsdist/sync-engine.jsdist/cli/index.js~/.alfe/sync/manifest.jsonworkspace filesshared/org/*shared/teams/*shared/projects/*
Network endpoints4
wss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/wswss://sync.alfe.ai/ws

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json starts onStartup and runs alfesync pull/push hooks on agent lifecycle
  • dist/sync-engine.js writes remote manifest paths with join(workspacePath, relativePath) without containment checks
  • dist/cli/index.js restore writes bundle file.path under workspace without traversal validation
  • dist/plugin2.js WebSocket relay can trigger pull/delete of workspace files by remote notifications
Evidence against
  • No package.json install/preinstall/postinstall lifecycle scripts
  • dist/plugin2.js scanner-indicated remote decode/execute behavior not present; no eval/Function use found
  • Network use is aligned with documented Alfe sync, S3 presigned URL, and relay functionality
  • Shared sync path has assertContained and file-size cap
  • README and manifest describe workspace backup/sync behavior
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 127 KB of source

Source & flagged code

3 flagged · loading source
dist/plugin2.jsView file
107}); L108: const response = await fetch(downloadUrl); L109: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L111: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L112: const buffer = Buffer.from(await response.arrayBuffer()); L113: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L296: */ L297: const pkg = createRequire(import.meta.url)("../package.json"); L298: const SYNC_CAPABILITIES = [ ... L472: syncRelayReconnectAttempt = 0; L473: ws.send(JSON.stringify({ L474: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L107
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg
dist/plugin2.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @alfe.ai/openclaw-sync@0.1.10 matchedIdentity = npm:QGFsZmUuYWkvb3BlbmNsYXctc3luYw:0.1.10 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/plugin2.cjsView on unpkg

Findings

3 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
CriticalPrevious Version Dangerous Deltadist/plugin2.cjs
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License