Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Migrate
v1.0.0Migrate OpenClaw configs, skills, memory, tokens, environment variables, and cron jobs to a new host via SSH with setup, test, and migrate commands.
⭐ 0· 621·3 current·3 all-time
byGlitch@chris6970barbarian-hue
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the behavior: the code enumerates ~/.openclaw, ~/.config/openclaw, npm global OpenClaw, environment variables, and crontab and copies them to a remote host via SSH/SCP. No unrelated credentials or services are requested.
Instruction Scope
SKILL.md promises syncing "Any `HA_*` vars", but the implementation only checks a fixed ENV_VARS_TO_SYNC array (explicit names). The skill will read local environment variables and the user's crontab and will copy the entire ~/.openclaw workspace — this is consistent with migration but broad and includes potentially sensitive files. The instructions are explicit about migrating tokens and env vars, but the code's behavior and the documentation are not exactly identical.
Install Mechanism
No external install script or remote download; the skill is provided as code bundled in the package (main.js). There is no installer that pulls arbitrary code from unknown URLs.
Credentials
The tool reads and will transfer sensitive environment variables (HA_TOKEN, GITHUB_TOKEN, GOOGLE_* keys, etc.) and the user's crontab to the target host. That is proportionate for a full migration tool, but it is high-risk: secrets are written in plaintext into remote shell profiles and a local config.json with target details is stored next to the skill. The SKILL.md claims a broader HA_* scan than the code implements.
Persistence & Privilege
The skill does not request platform-wide privileges or always-on status. It saves a local config.json (target host, user, key path) and modifies remote user's shell profiles and crontab as part of migration — expected for this purpose but scope-affecting on the remote host.
What to consider before installing
This tool will copy your OpenClaw workspace, configuration files, environment variables (including tokens), and cron jobs to the target host and will append exported env vars to remote shell profiles. Before installing/running:
- Inspect main.js yourself (it is included) and confirm the exact files/variables it will copy. The SKILL.md description of HA_* variable handling doesn’t match the code.
- Backup any secrets and the remote host state. Treat the target host as trusted before transmitting secrets.
- Be aware the script constructs shell/ssh/scp commands by interpolating user-supplied values (host, user, key, profile contents) without sanitization — this can be dangerous if those values contain unexpected characters. Use this only in a controlled, trusted network or with a non-privileged test account first.
- Consider manually reviewing which environment variables and files you actually want migrated and remove others from your local environment or the sync list before running.
- If you need assurance, run the migration in a sandbox or on a disposable VM, or ask the author for a provenance/homepage and clarification about HA_* handling and local config storage.Like a lobster shell, security has layers — review code before you run it.
latestvk972t2ha9dkm7azewfat32xqzd81bmhe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.