ClawHub

agent-pack-n-go

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for legitimate device migration, but it clones credentials and SSH keys and makes broad remote system and persistence changes that users should review before installing.

Install only if you intentionally want a full clone to a fully trusted target device. Before running it, review the generated archive contents, exclude or rotate unnecessary SSH keys and tokens, inspect copied skills, memory, exec approvals, cron jobs, /etc/hosts, and proxy settings, avoid permission-skipping execution, remove passwordless sudo immediately after verification, and delete migration archives from both machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs the agent to run shell commands, write files, transfer archives, and perform remote deployment, yet no permissions are declared. This undermines the platform's permission model and prevents users or reviewers from accurately understanding the skill's capabilities before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description frames the skill as a straightforward encrypted clone operation, but the documented behavior extends into highly sensitive and system-level actions such as migrating SSH material, restoring cron, modifying /etc/hosts, running external diagnostics, and installing software. This mismatch is dangerous because users may consent to a migration without realizing they are also authorizing credential replication, persistence changes, and broad system modification.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script does more than one-time data restoration: it installs, enables, and starts a persistent OpenClaw gateway service, and falls back to a background nohup process if service installation fails. In a migration skill that also restores configs, memory, and credentials, creating long-lived execution on the new host materially increases risk because imported state can immediately become active without an explicit re-consent step.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script imports and activates the migrated crontab wholesale, which can recreate arbitrary scheduled execution on the target device. Because the crontab content comes from the migration pack and is not validated or previewed, this can silently re-establish persistence or run unsafe commands under the new user's account.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The generated instructions modify system-level state outside the advertised scope of cloning an agent, including /etc/hosts, package installation, proxy configuration, and service persistence. Because these actions are driven by files extracted from a migration bundle, they can apply attacker-controlled system changes under the guise of migration and materially expand compromise on the new device.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Installing proxychains4 and restoring its configuration introduces traffic redirection capability unrelated to basic agent cloning. If the migration pack contains a malicious proxychains4.conf, subsequent network traffic may be covertly rerouted through attacker-controlled proxies, enabling interception, evasion, or command-and-control behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Restoring an arbitrary crontab from the migration archive imports scheduled execution from the source device without reviewing what jobs will run on the destination. This can recreate persistence, data exfiltration, or malicious maintenance tasks automatically, making the new device inherit any compromised scheduled jobs from the old environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exports additional system and user state beyond the advertised scope, including crontab entries, selected /etc/hosts entries, the dashboard directory, and the current username. This broadens collection to operational and environment-specific data that may reveal persistence mechanisms, internal host mappings, or personal system details, increasing privacy and security risk during migration.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script installs proxychains4, a proxy/evasion utility unrelated to the core migration workflow of restoring an agent onto a new device. In the context of a skill that already transfers configs, memory, credentials, and enables remote deployment over SSH, adding a network redirection tool expands post-install capability in a way that can facilitate covert outbound access or bypass network controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that credentials, OAuth data, and SSH keys are cloned to another device, but it does not prominently warn users that this duplicates highly sensitive secrets and expands the trust boundary to the destination host. In this skill’s context, that is especially dangerous because the feature is designed to automate full-agent migration, so users may approve secret transfer without understanding that compromise of the new device would immediately expose all cloned identities and access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises fully automated setup, deployment, runtime installation, and gateway startup on the target device, but it does not clearly warn that the skill will make substantial remote system changes. In this context, the omission matters because the skill is specifically intended to run over SSH against another machine, increasing the chance that users authorize invasive modifications without understanding the scope of changes to packages, configs, services, and startup behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad phrases like 'copy agent' and 'pack and go' that could plausibly appear in normal conversation and unintentionally activate a highly privileged migration workflow. Because the workflow transfers credentials and performs remote actions, accidental invocation materially raises risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The post-install message promotes one-click cloning of configs, memory, skills, and keys but omits an upfront warning that the skill migrates secrets and performs automated SSH-based remote changes. That omission can cause users to enable or invoke the skill without informed consent regarding credential handling and system modification.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to run Claude Code with --dangerously-skip-permissions, which disables execution safeguards and permits unrestricted tool use during a migration that includes credentials, SSH keys, systemd, sudo, and file deletion steps. In this context, a malformed or tampered migration-instructions.md could cause arbitrary privileged actions on the new host with little user oversight.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The migration process restores highly sensitive material including Claude config, API keys, channel credentials, and SSH private keys onto a new device, but the execution step does not prominently warn the user about the sensitivity or trust requirements of the destination host. This increases the chance of credential exposure, accidental propagation to an untrusted machine, or insecure handling during and after restore.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to append entries to /etc/hosts using sudo tee -a, which modifies a privileged system file and can affect system-wide name resolution. Although presented as troubleshooting, it gives no warning about requiring elevated privileges, validating the IPs, backing up the file, or the risk of breaking network behavior if stale or incorrect entries are added.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The troubleshooting step performs in-place sed replacement on user configuration files, which can silently overwrite valid settings or corrupt files if the username variable is wrong or the pattern matches unintended content. In a migration skill that moves configs and state across devices, this is more dangerous because path inconsistencies are expected and broad automated edits can damage the restored environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to kill processes with kill -9, which forcibly terminates them without cleanup and can cause data loss, corrupted state, or incomplete shutdown of services. In the context of an agent migration/deployment workflow, abrupt termination is especially risky because the process may be writing config, memory, or credential-related state when it is killed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script restores configuration and then proceeds to make persistent changes, including path rewrites, /etc/hosts edits, and crontab activation, without any interactive confirmation or explicit warning. For a skill that migrates credentials and memory to a new device, silent persistence-related changes reduce user awareness and can mask risky or unexpected behavior imported from the old system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script extracts a migration pack and restores user/application data such as OpenClaw configuration without disclosing the sensitivity of the contents at execution time. In the context of this skill, which explicitly promises to move memory, skills, and credentials, handling opaque archives without validation or prominent disclosure creates risk of importing secrets and unsafe state from an untrusted or stale bundle.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script generates authoritative step-by-step instructions for privileged operations, but provides no up-front warning that they change system files, install packages, enable persistence, and alter network behavior. In an agent skill context, this is dangerous because users may treat the generated playbook as trusted automation and execute high-risk commands without informed consent or review.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script copies sensitive material from ~/.openclaw, including credentials, with no explicit consent prompt, warning, or selective export flow. Packaging secrets by default into a portable archive materially increases the chance of credential theft if the archive, temp directory, or transfer path is exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script archives private SSH keys from ~/.ssh into the migration bundle without a strong warning, separate consent, or safer key-migration mechanism. Private SSH keys can grant direct access to other systems and services; bundling them into a transferable tarball creates a high-value target whose compromise can lead to broad account and infrastructure takeover.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script restores SSH private keys directly into ~/.ssh from a migration pack without an explicit confirmation, warning, passphrase validation, or trust boundary check. This is highly sensitive because it copies authentication material to a new host, and if the pack or destination is compromised, those keys can be used for lateral movement and persistent unauthorized access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script performs network transfer of a migration bundle and then instructs remote execution of setup and deploy scripts against an arbitrary USER@HOST target without any interactive confirmation, host trust validation, or safety warning. In this skill’s context, the transferred artifacts explicitly include configs, memory, skills, and credentials, so a mistaken or attacker-controlled destination could result in full agent compromise and credential exfiltration.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal