registry  /  @alfe.ai/openclaw-sync  /  0.2.0

@alfe.ai/openclaw-sync@0.2.0

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 10h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. This is an OpenClaw sync extension that can automatically upload, download, and delete workspace files when enabled by the OpenClaw plugin lifecycle or CLI. The behavior is package-aligned but high-trust because it mirrors agent config, conversations, and memory to Alfe/S3-backed services.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
OpenClaw plugin startup/hooks or explicit alfesync CLI commands after Alfe login/config exists
Impact
Potential exposure or overwrite of workspace data if the configured Alfe service/account or remote manifests are compromised; no concrete malicious exfiltration or install-time hijack was found.
Mechanism
agent workspace cloud sync via file watcher, presigned URLs, API client, and sync relay
Rationale
The scanner's remote decode/execute concern was not confirmed in source; dist/plugin2.js uses fetch for file sync and WebSocket notifications, not dynamic payload execution. Because the package is a first-party OpenClaw sync extension with automatic workspace backup behavior, it merits a warning rather than a publish block.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin2.jsdist/sync-engine.jsdist/cli/index.jsdist/defaults/common.alfesyncignoredist/defaults/openclaw.alfesyncignoreREADME.md~/.alfe/config.toml~/.alfe/sync/manifest.json.alfesyncignoreshared/workspace files under configured workspacePath
Network endpoints5
wss://sync.alfe.ai/wswss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/wsalfe.ai

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates onStartup and hooks agent start/stop/compaction to pull/push workspace data
  • dist/plugin2.js starts realtime watcher and firstRunReconcile on plugin service start after Alfe config is present
  • dist/sync-engine.js uploads changed workspace files via presigned PUT URLs and confirms uploads through AgentApiClient
  • dist/plugin2.js connects to wss://sync.alfe.ai/ws or environment variants using the Alfe API key
  • dist/sync-engine.js and dist/cli/index.js write downloaded remote files into workspace during pull/restore
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • network behavior is aligned with @alfe.ai package purpose and uses @alfe.ai/config credentials
  • default ignores exclude .env, node_modules, .git, plugins/extensions/npm runtime dirs, logs, caches, and .alfesync
  • no eval, Function, vm, child_process, native binary loading, or decoded remote code execution found in inspected JS
  • shared file downloads enforce size limits and containment for shared scope paths
  • README and manifest disclose workspace backup/sync behavior and OpenClaw plugin hooks
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 132 KB of source

Source & flagged code

2 flagged · loading source
dist/plugin2.jsView file
108}); L109: const response = await fetch(downloadUrl); L110: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L112: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L113: const buffer = Buffer.from(await response.arrayBuffer()); L114: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L297: */ L298: const pkg = createRequire(import.meta.url)("../package.json"); L299: const SYNC_CAPABILITIES = [ ... L473: syncRelayReconnectAttempt = 0; L474: ws.send(JSON.stringify({ L475: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L108
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License