ClawHub

Agent Migrate

Security checks across malware telemetry and agentic risk

Overview

This migration skill does what it says, but it can upload sensitive agent state, overwrite local agent files, run a restore script from a cloned repository, and force-push to GitHub without enough safeguards.

Install only if you specifically need full OpenClaw migration. Use a trusted private repository, inspect exactly what will be exported, redact secrets and sensitive memory/session content yourself, avoid pull-mode restore unless you have reviewed the repository contents, and make a separate backup of the target ~/.openclaw before restoring. Remove or avoid the force-push path unless you explicitly intend to rewrite the remote branch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs users to run shell commands and scripts such as export, import, scp, and restore operations, but it does not declare any corresponding permissions. Hidden or undeclared shell capability reduces transparency and can cause the agent to execute filesystem and network-affecting actions without appropriate review, especially because the documented operations include packaging state and restoring it on another machine.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims migration and deployment functionality, but it also documents syncing agent state to GitHub, which can transmit identity, memory, config, skills, and extensions to a third-party remote. In this context, that is dangerous because the exported data explicitly includes sensitive agent state and the skill only suggests sanitization as a checklist item rather than enforcing it, creating a realistic risk of data exfiltration or accidental public exposure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Attempting `git push --force` can overwrite remote history and destroy existing repository contents if the target branch has unrelated commits. Because the repository URL is fully user-controlled and the script performs the force push automatically as a fallback, this creates an unnecessary destructive capability in a backup tool.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In full mode, the script silently archives the entire agents/session data set, which can contain prompts, outputs, credentials, tokens, or other sensitive operational state. Because the artifact is written to /tmp and the workflow explicitly encourages copying it to another host, users may unintentionally exfiltrate sensitive data without any explicit warning, confirmation, or redaction step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script copies identity files, memory contents, and custom skills into a repository and pushes them remotely without a strong warning or explicit confirmation of the data categories being exported. Even with partial redaction of `openclaw.json`, these files can contain sensitive operational context, prompts, or proprietary logic that users may not realize they are uploading.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The restore script writes files into `$HOME/.openclaw` by default and copies repository-provided content into workspace and skills directories without user confirmation or integrity checks. If the remote repository is stale, malicious, or simply incorrect, this can overwrite local agent state and introduce untrusted skill files into the environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The destructive fallback to `git push --force` occurs without any explicit warning or confirmation, despite the possibility of rewriting remote history. Users may expect a backup operation to be additive, not destructive, so silent force-push behavior materially increases the risk of accidental data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal