Back to skill
Skillv0.2.1
VirusTotal security
clawd-migrate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- 7c28c559f1cd90df786ab3ab89403ccc131e815cc3db04e351f92dbe7b8ac776
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawdmigrate Version: 0.2.1 The skill is classified as suspicious due to its use of `subprocess.run(shell=True)` in `openclaw_setup.py` and `spawnSync(shell: true)` in `bin/clawd-migrate.js` for executing external commands like `npm install -g openclaw` and `openclaw onboard`. While these commands are hardcoded and directly align with the skill's stated purpose of migrating to and setting up OpenClaw, the use of `shell=True` is a known vulnerability pattern that can lead to shell injection if not handled with extreme care, even if the immediate exploit path is mitigated by hardcoded commands. Additionally, performing a global `npm install` is a high-privilege action that modifies the system's global environment. There is no evidence of intentional malicious behavior such as data exfiltration, persistence, or obfuscation; all actions are explicitly documented in `SKILL.md` and other documentation files.
- External report
- View on VirusTotal