ClawHub

clawd-migrate

Security checks across malware telemetry and agentic risk

Overview

This looks like a real migration tool, but normal migration can copy credentials and automatically reinstall OpenClaw globally with inconsistent user controls.

Install only if you intend to migrate sensitive bot files and are comfortable with credentials, API keys, and memory being copied into backups and OpenClaw config folders. Run it only from an explicit trusted source directory, keep backup/output folders private, review migrated instruction and credential files, and treat the default migration flow as capable of globally reinstalling OpenClaw and running onboarding unless you isolate or change the workflow first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Uses shell=True so npm is found via the same PATH as the user's terminal (macOS/Linux).
    """
    try:
        r = subprocess.run(
            "npm install -g openclaw",
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
r = subprocess.run( "npm install -g openclaw", capture_output=True, text=True, timeout=120, shell=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Uses shell=True so openclaw is found via PATH (e.g. /usr/local/bin on macOS).
    """
    try:
        r = subprocess.run(
            "openclaw onboard",
            cwd=str(target_dir),
            capture_output=True,
Confidence
92% confidence
Finding
r = subprocess.run( "openclaw onboard", cwd=str(target_dir), capture_output=True, text=True, timeout=60, shell=True,

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation states that after verification, the tool automatically performs a global package reinstall and runs onboarding commands. These actions materially change the host environment and are unrelated to verifying copied files, so bundling them into a verification flow can surprise users and cause unintended system modifications, especially on developer machines or CI runners.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI advertises openclaw setup as an explicit opt-in via --setup-openclaw, but the migration path actually installs and onboards openclaw by default whenever --skip-verify is not set. This mismatch can cause unexpected execution of external package installation and onboarding steps, violating user expectations and increasing supply-chain and system-modification risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring presents the routine as broadly 'safe for any user's system' while the implementation recursively enumerates configuration, memory, and credential-related assets beneath the selected root. That mismatch can mislead downstream agents or users into treating the function as harmless discovery when it is actually inventorying potentially sensitive files that could later be exfiltrated or processed without informed consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function behavior exceeds what its description communicates: after migration it unconditionally reinstalls software and onboards the directory. In an interactive migration tool, this is dangerous because users may consent to file migration but not to a package installation or environment modification, creating a deceptive consent boundary and enabling unexpected code execution through npm installation.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The menu option advertises a 'full migration' but actually triggers additional actions: reinstalling openclaw and onboarding the selected directory. This mismatch is security-relevant because it can socially engineer users into authorizing software installation and project-state changes they did not intend, especially since the tool operates on arbitrary user-selected directories.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The documentation explicitly states that credentials and API keys are migrated and stored under a new configuration path, but it does not warn users that this process handles highly sensitive secrets. In a migration tool context, omission of sensitivity and secret-handling guidance can lead to insecure copying, accidental inclusion in backups, logs, or version control, increasing the chance of credential exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file describes automatic global reinstall and onboarding without prominently warning that they modify the user's global environment. In a migration utility, users may reasonably expect file-copy verification only; silently adding global package installation increases the risk of unauthorized changes, dependency drift, and execution of package lifecycle scripts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that credentials and API keys under configuration directories are migrated, but it does not prominently warn users that these secrets will be copied into new locations and backups. That increases the risk of accidental exposure through copied directories, backups, version control, or insecure sharing of the migrated output.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The optional setup flow directs users to run `npm i -g openclaw` and `openclaw onboard`, which make system-wide and filesystem changes, but the documentation does not present a strong warning about those side effects. Users may execute these commands without understanding that they install software globally and modify the target directory, increasing supply-chain and unintended-change risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that credentials and API keys under `.config/moltbot/` are migrated, but it does not clearly warn users that sensitive secrets will be copied into backups and new locations. This can lead users to run the tool without understanding the exposure risk, increasing the chance of accidental disclosure through insecure backup storage, repository commits, or permissive filesystem access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states it migrates clawdbook/Moltbook credentials and API keys, but it does not prominently warn users that sensitive secrets will be discovered, copied, relocated, and stored in backups. That omission is dangerous because users may run the migration on shared or insecure systems without realizing credentials will be duplicated and persist in additional locations, increasing exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill says it will reinstall openclaw with a global npm command and automatically run `openclaw onboard`, but the documentation does not clearly warn that these actions modify the system and may execute additional setup behavior. This is risky because users may expect a file migration only, while the skill also performs package installation and onboarding steps that change software state and could have side effects on the host environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code recursively walks configured paths and collects files explicitly described as containing credentials and API keys, without any warning, permission check, or minimization. In an agent skill context, building a structured inventory of sensitive files significantly lowers the barrier to secret harvesting, because later components can immediately read or transmit the discovered paths.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically performs a global npm installation and then runs an onboarding command without any user confirmation or warning. In an agent skill context, this is risky because it changes the host system state, installs executable code from the network, and may surprise users who did not intend to authorize system-wide modifications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal