Skillv2.1.1

ClawScan security

Memory Transfer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 7, 2026, 7:53 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (copy agent memory files locally) but its runtime instructions and code allow reading and copying arbitrary filesystem paths (no path sanitization), which can lead to unintended data access/exfiltration and is not called out in the description.
Guidance: This tool is coherent with its stated purpose (copying agent memory files), but it lacks path validation: passing absolute paths or '../' style agent IDs can make it read or copy arbitrary files on the host. Before installing or running it, consider: (1) review the code locally (already included) and test only in a safe environment; (2) run with a low-privilege account that cannot read sensitive files; (3) prefer using the --dry-run flag to verify which files will be affected; (4) harden the script by normalizing and validating paths (reject absolute paths and any path segments with '..', ensure resolved path startsWith the workspace base); (5) avoid running on multi-tenant hosts or systems containing sensitive PII unless you trust the inputs and have backups. If you need, ask the developer to add path sanitization and explicit confirmation prompts before copying.

Purpose & Capability: okName, description, SKILL.md, and memory-transfer.js all align: the tool lists and copies memory files between agent workspaces under /home/node/.openclaw. No unrelated capabilities are requested.
Instruction Scope: concernSKILL.md instructs the agent to read/copy files from agent workspaces (expected), but the script accepts arbitrary agent IDs and does not sanitize them. Supplying an absolute path or path traversal (e.g., '/etc', '../somepath') as an agent-id can cause the tool to read or copy files outside the intended workspace base. The instructions do not warn about this risk or restrict operations.
Install Mechanism: okNo install spec; this is an instruction-only skill with a single local Node script (no remote downloads or package installs). This minimizes install-time risk.
Credentials: okThe skill requires no environment variables, credentials, or external services. The requested access (local filesystem reads/writes) is consistent with its stated purpose, but scope of filesystem access is broader than it appears because agent IDs can resolve outside the workspace base.
Persistence & Privilege: okalways is false and the skill does not request persistent agent-wide privileges. It runs on-demand and only manipulates files it can reach based on supplied paths/agent IDs.