v1.0.0

Wiz Migration

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:14 AM.

Analysis

The skill appears to be a local Wiz-note migration helper, but users should verify the package files, script path, and copy locations before using it on private notes.

GuidanceBefore installing or using this skill, confirm it is the intended Wiz migration package, choose a narrow Wiz data/export source folder, verify the target folder, and do not run any batch script or administrator-elevated command unless you have inspected it and understand what it will copy.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

README.md

python bin/wiz-migrate ... scripts/copy_attachments.bat # Windows 批处理脚本

The documentation references runnable helper files, but the provided file manifest does not include bin/wiz-migrate or scripts/copy_attachments.bat. This is a packaging/provenance gap rather than evidence of malicious behavior.

User impactA user could be confused into locating or creating an unreviewed helper script to complete the documented workflow.

RecommendationUse the reviewed Python functions where possible, and only run helper scripts whose contents you have verified.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/migrator.py

if script_path and os.name == 'nt' and Path(script_path).exists(): return _run_batch_script(...) ... subprocess.run([str(temp_script)], shell=True, ...)

On Windows, the migration function can execute a batch script supplied by path. This is purpose-aligned for attachment migration, but it is still local shell execution.

User impactIf the script path points to an unexpected or modified batch file, it could run local commands beyond the intended copy operation.

RecommendationDo not pass arbitrary batch files; inspect the script first and prefer the built-in Python copy path when unsure.

Cascading Failures

SeverityLowConfidenceHighStatusNote

scripts/migrator.py

for root, dirs, files in os.walk(source): ... if d == "_Attachments" or d.endswith("_files"): ... shutil.copytree(attach_dir, dest_path)

The tool recursively finds and copies every matching attachment directory under the chosen source path. This is expected for migration, but a mistaken broad source can propagate many files into the target.

User impactChoosing the wrong source folder could copy unintended private files or create a large unwanted target tree.

RecommendationPoint the tool only at the Wiz export/data directory, review the target location, and keep a backup before migration.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

附件复制失败 | 权限不足 | 以管理员身份运行脚本

The troubleshooting table suggests running the script as administrator if copying fails. Elevation is not the default workflow, but it broadens local file access.

User impactRunning the migration script with administrator privileges could let it read or write locations that a normal user account could not.

RecommendationTry normal-user permissions first; only elevate after reviewing the script and confirming the source and target paths are correct.