openclaw-migration

Security checks across malware telemetry and agentic risk

Overview

This is a plain migration checklist for renaming a project to OpenClaw, with disclosed file changes but no hidden code or credential use.

Install this only if you are working on the Clawd-to-OpenClaw migration. Before letting an agent apply the checklist, confirm it is in the intended repository, use version control, inspect changes to agent metadata files, run tests, and explicitly approve any deletion or archiving of the old project directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger section uses very broad activation terms such as “migration” and “rename” without tying them to a specific repository, directory, or OpenClaw-specific context. This can cause the skill to activate in unrelated tasks, potentially steering an agent into applying filesystem or configuration changes outside the intended migration workflow.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal