registry  /  @alfe.ai/openclaw-sync  /  0.2.1

@alfe.ai/openclaw-sync@0.2.1

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. OpenClaw platform extension can automatically sync agent workspace files to/from Alfe cloud once activated with an existing Alfe config. This is a dangerous agent-extension lifecycle capability, but not unconsented npm install-time hijack or remote code execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
OpenClaw plugin onStartup/service start or user-invoked alfesync CLI commands
Impact
Agent workspace contents may be uploaded to cloud and remote files may be written/deleted locally within the configured workspace.
Mechanism
workspace backup/sync using watcher, presigned S3 URLs, API client, and Sync Relay WebSocket
Policy narrative
The package is an OpenClaw sync extension and CLI. On platform activation with Alfe credentials, it registers sync services, watches the configured workspace, uploads changed files, downloads remote/shared files, and listens on a Sync Relay WebSocket. The behavior is broad and agent-facing, but it is declared as a platform extension and uses package-aligned Alfe endpoints rather than hidden install-time mutation or decoded payload execution.
Rationale
Static inspection confirms a real automatic agent workspace sync capability, but no npm lifecycle hook, foreign AI-agent control-surface planting, eval/decoded remote execution, or shell execution. Under the policy this fits guarded platform extension lifecycle risk rather than publish-block malware.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin.jsdist/plugin2.jsdist/sync-engine.jsdist/cli/index.js~/.alfe/sync/manifest.json<workspace>/.alfesyncignore<workspace>/**<workspace>/shared/**
Network endpoints6
wss://sync.alfe.ai/wswss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/wsconfigured Alfe apiUrlpresigned file URLs returned by API

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates onStartup and hooks agent start/stop/compaction to alfesync pull/push.
  • dist/plugin2.js starts realtime watcher and firstRunReconcile on platform service start when Alfe config exists.
  • dist/sync-engine.js uploads workspace files via presigned PUT URLs and writes/pulls remote files into workspace.
  • dist/plugin2.js opens persistent Sync Relay WebSocket using configured API key as token.
Evidence against
  • package.json has no npm install/preinstall/postinstall lifecycle scripts.
  • No eval/vm/Function or child_process execution found in inspected JS entrypoints.
  • Network/file behavior is package-aligned sync/restore functionality gated by OpenClaw activation or alfesync CLI and Alfe config.
  • Path traversal checks exist for shared sync downloads; default ignores exclude node_modules, .git, .env, extensions, plugins.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 132 KB of source

Source & flagged code

2 flagged · loading source
dist/plugin2.jsView file
108}); L109: const response = await fetch(downloadUrl); L110: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L112: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L113: const buffer = Buffer.from(await response.arrayBuffer()); L114: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L297: */ L298: const pkg = createRequire(import.meta.url)("../package.json"); L299: const SYNC_CAPABILITIES = [ ... L473: syncRelayReconnectAttempt = 0; L474: ws.send(JSON.stringify({ L475: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L108
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License