ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wiz Migration

v1.0.0

为知笔记迁移辅助技能,提供自动检测存储目录、导出操作引导、附件批量迁移等完整迁移流程

0· 62·0 current·0 all-time
by@awamwang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Wiz note migration) aligns with the included Python modules for detecting data dirs, generating guides, and copying attachments. However there are packaging inconsistencies: __init__.py attempts to import a module using a hyphenated name (from bin.wiz-migrate) which will fail, README/SKILL.md reference a scripts/copy_attachments.bat and a bin entrypoint that are not present in the manifest, and skill.json contains a homepage/repo while the top-level metadata says 'Source: unknown'/'Homepage: none'. These indicate sloppy packaging or missing files.
Instruction Scope
SKILL.md directs only to local filesystem operations (detecting paths, generating markdown, copying attachment folders, optionally running a batch script). It does not instruct network transfers or reading unrelated config/credentials. The only broader action is executing a batch script (if provided), which will run arbitrary commands on the host — this is expected for a migration tool but expands the blast radius if the batch file is malicious or tampered with.
Install Mechanism
No install spec; code is instruction/package-based and runs from the skill directory. No remote downloads or archive extraction are requested. That is low risk from an install-mechanism perspective.
Credentials
The skill requires no environment variables or external credentials. It uses os.path.expandvars to expand filesystem templates (normal). It writes local logs (migration_log.json) and temporary batch scripts in the working directory — no hidden credential access was requested or observed.
Persistence & Privilege
always is false and the skill does not request permanent platform-wide privileges. It will create temporary files (temp_copy_attachments.bat) and a migration_log.json in the working directory; it does not modify other skills or global agent configuration.
Scan Findings in Context
[no_findings] expected: Static regex scanner reported no findings. This is consistent with the skill being primarily filesystem-manipulating Python code; absence of findings does not imply the package is error-free or correctly packaged.
What to consider before installing
This skill appears to implement the advertised Wiz-note migration features and works only with local files, but there are packaging and safety issues you should consider before installing: - Packaging inconsistencies: the package references entry points and a batch file that aren't present; an import in __init__.py is malformed (hyphen in module name) and may cause runtime errors. Expect possible failures when invoking start_wizard() or the package entrypoint. - Batch script execution: the migrator can write and run a temporary .bat file or run a user-supplied batch script. Only run this skill on a machine you control and after inspecting any batch scripts; do not run it on sensitive systems without review. - Back up data first: the tool manipulates/copies attachments. Make a full backup of the source folder before running. - Inspect source code: if you can, open scripts/migrator.py and any batch scripts to confirm there are no unexpected commands (network calls, deletion, or uploads). The Python code here does local copy operations; check for any modifications in the packaged version you install. - Verify provenance: skill.json points to a GitHub repo but top-level metadata says source unknown — if provenance matters, follow the repository link and confirm the upstream project and releases. If you need help examining the batch script or validating the package before running, provide the batch file content or run the included Python functions in a sandbox/non-production environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dsc2gvmj47k0abtc7b9s5kx83gf7g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments