ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawd-migrate

v0.2.1

Migrates moltbot or clawdbot data to openclaw by backing up, transferring config, memory, and clawdbook data with verification and automatic setup.

0· 643·1 current·1 all-time
by@calabiyauman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (migration to openclaw) matches the code and docs. Required languages/tools (Python, Node/npm) are exactly what the package uses. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and code instruct the agent to discover, back up, copy, and verify local files — including credential files under .config/moltbook or .config/moltbot — which is appropriate for a migration tool. One notable scope decision: the tool will (by default / documentation indicates automatic behavior) run 'npm install -g openclaw' and 'openclaw onboard' as a post-migration step; this modifies the host system and reaches out to the npm registry. That behaviour is coherent with 'set up the target app' but is a side-effect users should expect and control.
Install Mechanism
No install spec in the registry entry, but the repo contains typical npm wrapper files and a node bin script that invokes the Python package. There are no downloads from unknown URLs, no URL shorteners, and no extraction of remote archives. The prepublish script copies Python sources into lib/ for packaging — standard for an npm-wrapped Python tool.
Credentials
The skill requests no environment variables and does not read arbitrary env vars. It does, however, enumerate and copy local credential files (credentials.json under .config/moltbook/.config/moltbot) into the new layout and into backups — which is necessary for migration but sensitive. Users should be aware backups and migrated folders will contain their credentials/API keys.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It can run commands (subprocess) to perform npm installs and run openclaw; that is expected for its purpose but has the usual risk of performing global package installs on the host.
Assessment
This package appears to be what it claims: a local migration tool that copies memory and config files (including credential files) into an openclaw layout and verifies the copies. Before using it: 1) Expect backups and migrated folders to contain credential files and API keys — treat those backups as sensitive. 2) The tool may run 'npm install -g openclaw' and 'openclaw onboard' (network activity and global install); if you don't want that, use the CLI option to skip setup or run migration without the automatic setup, or run the tool offline and perform installation manually after inspection. 3) If running via npx, you will fetch the published npm package — review the published package/source or run from a local clone if you prefer. 4) Run in a controlled/test directory first to confirm behavior. If you want additional assurance, ask the maintainer for a signed release or audit the installed openclaw package before allowing global install.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703a1twf87nnxs9sw9wb3fn581349j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments