registry  /  @alfe.ai/openclaw-sync  /  0.2.4

@alfe.ai/openclaw-sync@0.2.4

AlfeSync — agent workspace backup and sync skill for OpenClaw

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. First-party OpenClaw plugin can automatically sync an agent workspace to Alfe/S3-backed storage and restore remote files locally. This is package-aligned but high-impact if enabled in an agent runtime.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
OpenClaw plugin startup, agent lifecycle hooks, or explicit alfesync CLI commands
Impact
Agent workspace files may be uploaded, downloaded, overwritten, or deleted according to sync state; no confirmed malicious execution path found.
Mechanism
workspace backup/restore via Alfe API, presigned URLs, watcher, and sync relay
Rationale
Static inspection supports a warn-level agent extension lifecycle risk rather than malicious blocking: the package automatically syncs agent workspace data when enabled, but it has no npm lifecycle hook or decoded remote execution and its network/file behavior is consistent with Alfe/OpenClaw sync functionality. Scanner claims of remote asset decode/execute appear to be false positives from fetch-and-write sync paths.
Evidence
package.jsonopenclaw.plugin.jsondist/plugin2.jsdist/sync-engine.jsdist/cli/index.jsdist/defaults/common.alfesyncignoredist/defaults/openclaw.alfesyncignoreworkspacePath filesworkspacePath/shared/**workspacePath/.alfesyncignoreworkspacePath/RECOVERY-*.mdworkspacePath/HEARTBEAT.md~/.alfe/sync/manifest.json
Network endpoints6
wss://sync.alfe.ai/wswss://sync.dev.alfe.ai/wswss://sync.demo.alfe.ai/wswss://sync.test.alfe.ai/wsconfigured apiUrlpresigned downloadUrl/upload URL

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • openclaw.plugin.json activates on startup and hooks agent start/stop/compaction to run alfesync pull/push.
  • dist/plugin2.js starts realtime watcher and scheduled sync inside plugin activate/registerService.
  • dist/sync-engine.js uploads workspace files to presigned URLs and writes downloaded remote files into workspace.
  • dist/plugin2.js connects to Alfe sync relay WebSocket with API token query parameter.
Evidence against
  • package.json has no npm preinstall/install/postinstall lifecycle scripts.
  • No eval/vm/Function or child_process execution found in inspected source.
  • Network and file sync behavior is package-aligned: Alfe/OpenClaw workspace backup/sync.
  • Default ignores exclude .env, node_modules, git, caches, extensions/plugins/npm runtime dirs.
  • Fetches in dist/plugin2.js and dist/sync-engine.js download files; no decoded remote code execution observed.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 10 file(s), 162 KB of source

Source & flagged code

2 flagged · loading source
dist/plugin2.jsView file
108}); L109: const response = await fetch(downloadUrl); L110: if (!response.ok) throw new Error(`Download failed: HTTP ${String(response.status)}`); ... L112: if (contentLength > MAX_SHARED_FILE_SIZE) throw new Error(`File too large: ${String(contentLength)} bytes exceeds ${String(MAX_SHARED_FILE_SIZE)} limit`); L113: const buffer = Buffer.from(await response.arrayBuffer()); L114: if (buffer.length > MAX_SHARED_FILE_SIZE) throw new Error(`Downloaded file exceeds size limit: ${String(buffer.length)} bytes`); ... L297: */ L298: const pkg = createRequire(import.meta.url)("../package.json"); L299: const SYNC_CAPABILITIES = [ ... L473: syncRelayReconnectAttempt = 0; L474: ws.send(JSON.stringify({ L475: type: "SUBSCRIBE",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin2.jsView on unpkg · L108
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/plugin2.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin2.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalRemote Asset Decode Executedist/plugin2.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin2.js
HighChild Process
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License