Back to skill

Security audit

Openclaw Migration

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local migration tool, but its script can migrate more secrets than the user-facing instructions promise, including some tokens in the supposedly non-secret mode.

Review this before installing or running. Use dry-run first, avoid full migration unless you want API keys moved, and do not rely on the “user-data only” wording to exclude all tokens until the script is fixed. Back up ~/.hermes and inspect imported skills, command allowlists, memories, SOUL.md, workspace instructions, and .env changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to read from ~/.openclaw and write into ~/.hermes, but it declares no permissions or equivalent capability boundaries. That creates a transparency and governance problem: a user or platform may treat it as low-risk while it actually performs broad file import and overwrite operations, increasing the chance of unintended data modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented description understates the migration scope relative to the behavior described in the file, including importing messaging settings, secrets, config, shared skills, backups, and archival actions. Behavior/description drift is dangerous because users may consent to a seemingly limited migration while the skill actually touches additional sensitive configuration and credential material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.