📦 ClawRoam — 身份同步云

v2.1.1

OpenClaw 的便携身份保险箱，像 iCloud 一样自动、静默、加密地跨设备同步知识、插件与记忆，让你随时带上自己的完整数字工具箱。

0· 537·0 当前·0 累计

by @getlighty

安全云服务自动化开发工具

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill largely matches its stated purpose (a local vault + optional managed cloud) but contains undeclared backend dependencies, a hard-coded external cloud endpoint, and instructions that will access many local files and may upload archives to a remote service — these mismatches warrant caution before installing or using the managed cloud.

评估建议

What to consider before installing or using ClawRoam: - Trust the managed cloud operator: the repository references a specific Cloudflare Workers domain for ClawRoam Cloud. If you choose the managed option, your vault archives (potentially sensitive data) will be uploaded to that remote service. Only use the managed cloud if you trust that operator and understand their privacy/billing terms. - BYOS is safer if you want control: you can avoid the managed cloud by configuring Google Drive/Dropbo...

详细分析 ▾

⚠ 用途与能力

Name/description promise: a portable encrypted vault that can use BYOS or a managed ClawRoam Cloud. The repository contains matching client-side bash scripts (sync engine, providers, keypair management) so client behavior aligns. However, registry metadata lists no required environment variables while the included cloud backend code (cloud-api/ and cloud-api-worker/) expects server-side secrets (DATABASE_URL, STRIPE_SECRET_KEY, S3_* envs, etc.). The skill bundle therefore mixes a client-only runtime with a deployable backend without declaring those server-side credentials — an inconsistency that makes intent and deployment responsibilities unclear.

⚠ 指令范围

SKILL.md instructs the agent (via exec/file tools) to run many local scripts that: scan package managers, read/copy files from detected OpenClaw workspace, generate/rotate Ed25519 keypairs, initialize a local git repo, watch and auto-commit local files, and invoke provider scripts that perform OAuth flows or upload/download archives. These actions legitimately belong to a sync vault, but they also grant the skill access to a broad set of user files (USER.md, MEMORY.md, packages lists, openclaw dir) and can push compressed archives to remote providers. The README/CLAUDE.md also point to a specific live Cloudflare Workers domain (clawroam-api.ovisoftblue.workers.dev) — a hard-coded external endpoint not highlighted as a required/third-party endpoint in the skill metadata.

✓ 安装机制

There is no installer that downloads arbitrary remote code; the skill is instruction-first and ships local bash scripts and optional Node.js backend sources. Client-side scripts are pure bash (no remote downloads by default). The cloud backend is Node/Cloudflare code included in the repository (requires npm/wrangler to deploy) — that is fine as source, but deploying it requires server secrets (not declared). No suspicious external download URLs or extract steps are present in the skill metadata.

⚠ 凭证需求

Registry metadata declared no required env vars, but the included cloud backend and storage layer clearly expect many environment values (DATABASE_URL, STRIPE_SECRET_KEY, STRIPE_PRICE_ID, S3_ENDPOINT/ACCESS_KEY/SECRET_KEY/Bucket, STORAGE_PATH, PORT, etc.). Provider scripts likely require credentials for rclone/remote providers or S3, and the skill's runtime will prompt for OAuth or credentials if you select a provider. The lack of declared environment requirements is therefore misleading and undercounts sensitive configuration that may be supplied or stored when using the managed cloud or deploying the backend.

ℹ 持久化与权限

The skill is not force-installed (always:false) and can be invoked by the user. It creates persistent data in ~/.clawroam, generates/stores an Ed25519 private key locally (permissions claimed 600), and can run an auto-sync daemon (on by default after setup). Continuous background sync is expected for a vault but increases blast radius if a remote provider is untrusted or misconfigured. The skill does not request to modify other skills or system-wide agent settings in the code reviewed.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv2.1.12026/2/24

Version 2.1.1 - Updated SKILL.md to reflect the new version number (2.1.1). - No functionality or behavioral changes; documentation update only.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install getlighty-clawroam

镜像加速npx clawhub@latest install getlighty-clawroam --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库