OC Migrator

The `scripts/migrate.sh` file contains a significant path traversal vulnerability during the restore operation. When extracting and copying files from a backup archive, the script uses `cp -R` on directories within the extracted archive (e.g., `cp -R "$RESTORE_DIR/workspace/$dir/"* "$OC_WORKSPACE/$dir/"`). If a malicious backup file is crafted to contain paths with `../` components (e.g., `openclaw-export-malicious/workspace/memory/../../../../etc/passwd`), the `cp -R` command could overwrite arbitrary files outside the intended OpenClaw directories, leading to potential system compromise. While the skill's stated purpose is legitimate, this critical vulnerability makes it suspicious.