Back to skill
Skillv0.2.1
VirusTotal security
clawd-migrate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- 7efd9070bcbbdb11aa871e56c5f97bd5688f476abe9faab2f79ecfc7ea72b885
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawd-migrate Version: 0.2.1 The skill performs high-privilege actions, including extensive file system modifications (backup, migration of config/memory/credentials) and executing external commands. Specifically, `openclaw_setup.py` uses `subprocess.run` with `shell=True` to globally install `openclaw` via `npm install -g openclaw` and then run `openclaw onboard`. While these actions are explicitly declared in `SKILL.md` and the documentation, and the commands themselves are hardcoded (mitigating direct shell injection via user input into the command string), the capability to install global packages and execute arbitrary binaries from npm represents a significant supply chain risk and broad system permissions. There is no evidence of intentional malicious behavior like data exfiltration or backdoors, but the powerful nature of these operations warrants a 'suspicious' classification.
- External report
- View on VirusTotal