clawd-migrate

Security checks across malware telemetry and agentic risk

Overview

This migration skill has a coherent purpose, but it appears to copy credential-bearing files and run global OpenClaw installation/onboarding by default with insufficient user control.

Install only if you intentionally want a full migration that may copy credentials/API keys into backups and destination folders and may globally reinstall OpenClaw. Run it in a controlled account, review backup permissions, avoid shared or repository-backed output folders, and prefer a dry run or manual migration unless the installer/onboarding steps are made explicit and opt-in.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (16)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: Uses shell=True so npm is found via the same PATH as the user's terminal (macOS/Linux). """ try: r = subprocess.run( "npm install -g openclaw", capture_output=True, text=True,
Confidence: 95% confidence
Finding: r = subprocess.run( "npm install -g openclaw", capture_output=True, text=True, timeout=120, shell=True, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: Uses shell=True so openclaw is found via PATH (e.g. /usr/local/bin on macOS). """ try: r = subprocess.run( "openclaw onboard", cwd=str(target_dir), capture_output=True,
Confidence: 96% confidence
Finding: r = subprocess.run( "openclaw onboard", cwd=str(target_dir), capture_output=True, text=True, timeout=60, shell=True,

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation for a verification feature also states that the tool automatically performs a global package reinstall and runs onboarding commands afterward. That expands the operation from passive validation into system-modifying behavior, which can mislead users and downstream integrators into triggering unexpected command execution in environments where only verification was intended.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CLI advertises openclaw setup as an optional post-migration action via the --setup-openclaw flag, but the implementation runs install_openclaw_and_onboard() by default whenever verification is not skipped. This can trigger an unexpected global npm installation and onboarding workflow, violating user expectations and potentially causing unintended system changes or execution of external tooling.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The module-level claim that backups are 'Never overwrite; always safe' is misleading because the implementation does not guarantee non-overwrite semantics for copied assets. If multiple source paths resolve to the same destination path within the backup directory, later copies can silently replace earlier ones, causing loss of backup fidelity and giving operators a false sense of safety.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The docstring presents the function as 'safe' and machine-agnostic, but the implementation recursively enumerates config, memory, credential-related, and project files under an arbitrary root. In an agent skill context, that framing can mislead callers into treating broad local file discovery as harmless, increasing the chance that sensitive paths are collected and later exposed or exfiltrated.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The banner states the tool will migrate to openclaw 'safely', but the migration path also performs a global reinstall and onboarding step that changes system state outside simple file copying. This is dangerous because users may consent to a file migration while not realizing the tool will also run package-manager driven installation actions and modify their environment.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: Menu option 3 is labeled as performing only backup and migration, but selecting it also triggers openclaw reinstallation and directory onboarding in do_migrate(). This mismatch between UI description and actual behavior can trick users into authorizing broader system modifications than expected, especially because installation appears to invoke npm globally.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes automatic execution of a global package install and onboarding flow without prominently warning about the security and operational consequences. Automatic global installation can change host state, pull remote code, and create supply-chain risk, especially in CI, shared systems, or restricted environments where users may not expect any system-wide modifications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly states that migration/backups include config directories containing credentials and API keys, but it does not clearly warn users that secrets will be copied into new locations and backup archives. This increases the risk of accidental exposure through less-protected backup folders, repository commits, file sharing, or broader filesystem access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README states that the tool migrates credentials/API keys and automatically reinstalls and onboards openclaw, but it does not prominently warn users that running it may copy sensitive secrets and make system-level changes. In an agent/tooling context, unclear disclosure increases the chance a user runs the command without informed consent, potentially exposing credentials in backups or triggering unintended installation and configuration actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states that credentials and API keys under `.config/clawdbook/` will be migrated, but it does not clearly warn users that highly sensitive secrets are being copied, relocated, and preserved in backups. This increases the risk of accidental disclosure through insecure backup locations, permissive file permissions, or unintended transfer of secrets between environments.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill says it will reinstall `openclaw` globally and run `openclaw onboard` automatically, but it does not present this as a prominent warning or require explicit acknowledgment. Automatic software installation and onboarding can change system state, pull unreviewed code from package registries, and trigger additional networked or privileged actions the user may not expect.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code explicitly searches for and recursively lists configuration paths described as containing credentials and API keys, then returns all matching files without any warning, consent, or minimization. In an agent environment, this materially increases the risk of sensitive secret discovery and downstream leakage, especially because the function can operate over any supplied root and also scans extra directories for project files.

Unvalidated Output Injection

High

Category: Output Handling
Content: Uses shell=True so npm is found via the same PATH as the user's terminal (macOS/Linux). """ try: r = subprocess.run( "npm install -g openclaw", capture_output=True, text=True,
Confidence: 91% confidence
Finding: subprocess.run( "npm install -g openclaw", capture_output

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Uses shell=True so npm is found via the same PATH as the user's terminal (macOS/Linux). """ try: r = subprocess.run( "npm install -g openclaw", capture_output=True, text=True,
Confidence: 94% confidence
Finding: subprocess.run( "npm install -g openclaw", capture_output=True, text=True, timeout=120, shell=True

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal