ClawHub

Arquitecto de migracion

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a legitimate migration-planning skill, but its generated runbooks can include powerful database and cloud commands that should be reviewed before use.

This skill looks suitable for migration planning, but review the full scripts before running them, ensure Python 3.8+ is available, and treat generated SQL/cloud/Kubernetes/Terraform commands as drafts requiring staging tests, backups, and explicit approval.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Users have less external context for verifying where the bundled scripts came from before running them.

Why it was flagged

The skill includes executable Python scripts, but the registry metadata does not provide an upstream source or homepage for provenance. This is a provenance notice, not evidence of malicious behavior.

Skill content
Source: unknown; Homepage: none
Recommendation

Inspect the full bundled scripts before use and prefer a publisher-provided source repository or provenance link.

#
ASI05: Unexpected Code Execution
Low
What this means

The skill may run local scripts against schema or plan files supplied by the user.

Why it was flagged

The workflow instructs running bundled local Python scripts. This is central to the skill's migration-planning purpose, but it is still local code execution.

Skill content
python {baseDir}/scripts/compatibility_checker.py --before=<old> --after=<new> ... python {baseDir}/scripts/migration_planner.py --config=<config.json> ... python {baseDir}/scripts/rollback_generator.py --plan=<plan.json>
Recommendation

Run the scripts only from the installed skill directory, with intended input files, and avoid passing secrets unless needed.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If copied into a production shell or database console without review, generated rollback commands could delete data or change infrastructure.

Why it was flagged

The rollback generator contains templates for destructive or mutating database, Kubernetes, AWS, and Terraform-style operations. They appear to be generated runbook content rather than automatically executed actions.

Skill content
"drop_table": "DROP TABLE IF EXISTS {table_name};" ... "delete_migrated_data": "DELETE FROM {table_name} WHERE migration_batch_id = '{batch_id}';" ... "restore_previous_version": "kubectl rollout undo deployment/{service_name}" ... "restore_iam_policies": "aws iam put-role-policy ..."
Recommendation

Treat generated commands as draft runbook material: test in staging, verify backups, require human approval, and do not auto-execute them.