Openclaw Migration
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This migration skill is mostly purpose-aligned, but it appears able to migrate more secrets and API keys than the visible description highlights.
Install or run this only after a dry run. Avoid --migrate-secrets unless you explicitly want provider API keys and service tokens moved, back up ~/.hermes first, and review imported skills, command allowlists, memories, SOUL.md, and workspace instructions before using the migrated Hermes setup.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If secret migration is enabled, API keys or service tokens may be copied into Hermes configuration in addition to the Telegram token a user may expect.
The helper declares migration support for multiple provider/API secrets. The visible SKILL.md text says --migrate-secrets currently imports TELEGRAM_BOT_TOKEN, so the credential scope appears broader than the user-facing description.
SUPPORTED_SECRET_TARGETS={
"TELEGRAM_BOT_TOKEN",
"OPENROUTER_API_KEY",
"OPENAI_API_KEY",
"ANTHROPIC_API_KEY",
"ELEVENLABS_API_KEY",
"VOICE_TOOLS_OPENAI_KEY",
}Do not use --migrate-secrets or a full secret-migration mode unless you have reviewed the dry-run output and are comfortable moving each listed key; maintainers should align the documentation and metadata with the exact secret allowlist.
Existing OpenClaw allowlist entries or skills could grant Hermes behavior or command access you have not recently reviewed.
The migration intentionally changes Hermes command permissions and imports skills. This is disclosed and purpose-aligned, but it changes what the agent may be able to do later.
- merge OpenClaw command approval patterns into Hermes `command_allowlist` - copy OpenClaw skills into `~/.hermes/skills/openclaw-imports/`
Run a dry run first, review all imported allowlist entries and skills, and skip or edit anything you no longer want Hermes to use.
Private memories or old instructions may persist in Hermes and influence later sessions.
The skill migrates persistent persona, memory, user profile, and workspace instruction content into Hermes. That is expected for a migration tool, but these files can affect future agent context.
- import `SOUL.md` into the Hermes home directory as `SOUL.md` - transform OpenClaw `MEMORY.md` and `USER.md` into Hermes memory entries - optionally copy the OpenClaw workspace instructions file into a chosen Hermes workspace
Review the imported memories, SOUL.md, and workspace instructions before relying on the migrated Hermes environment.
Users have less external provenance information for code that can modify Hermes configuration and migrate sensitive local data.
The package includes a runnable migration helper but does not provide a source repository or homepage in the supplied metadata. This is a provenance gap, not proof of malicious behavior.
Source: unknown Homepage: none No install spec — this is an instruction-only skill. Code file presence: scripts/openclaw_to_hermes.py
Inspect the script and verify the publisher/source before running it on important Hermes or OpenClaw data.