Skillv1.0.0

ClawScan security

Agent Migrate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 1:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (export/import/sync agent state) but contains several inconsistencies and actions that can leak sensitive agent identity and memory (notably the GitHub sync and hardcoded paths), so review and tighten before use.
Guidance: This skill is intended for migrating OpenClaw agents and contains useful export/restore scripts, but be cautious before running it: 1) Review the scripts line-by-line — sync-github.sh will collect identity and memory files and push them to whatever repo you provide, and it can force-push; do not run it against a public repo. 2) The jq-based sanitization is imperfect — manually inspect openclaw.json and any workspace files for tokens/secrets before syncing. 3) Note the scripts use hardcoded paths (/home/node/.openclaw and /usr/local/...) — adjust them to your environment or run in a controlled container. 4) Prefer using scp or an encrypted/private repo, or remove sensitive files from the agent-export before transfer. 5) Because import-agent.sh referenced in docs is missing, rely on the generated restore.sh (inspect it) or implement a controlled import process. If you plan to use this in production, test on an isolated machine and rotate any credentials after migration.

Review Dimensions

Purpose & Capability: noteOverall the requested actions (exporting workspace, config, skills, extensions, and offering restore) align with an agent migration tool. However there are small inconsistencies: SKILL.md references scripts/import-agent.sh which is not present (the export generates a restore.sh instead), and the scripts assume a specific host path (/home/node/.openclaw) rather than using a configurable or $HOME path. These mismatches reduce clarity and could cause misexecution on hosts with different layouts.
Instruction Scope: concernThe instructions and included sync-github.sh actively collect identity files (IDENTITY.md, MEMORY.md, etc.) and push them to a Git repository. Although docker-deploy.md and the security checklist mention sanitization, the sync script still copies long-term memory and identity files by default and only attempts a best-effort jq-based sanitization of openclaw.json. The script also attempts force-pushes. These behaviors go beyond simple filesystem copy and create a real exfiltration risk if the target repo or credentials are misconfigured.
Install Mechanism: okThere is no install spec (instruction-only plus utility scripts), which is low risk from an automatic-install perspective. The only runtime actions are shell scripts included in the package; nothing is downloaded from arbitrary URLs by the skill itself.
Credentials: concernThe skill declares no required environment variables but the scripts implicitly require host git credentials (SSH key or token), jq, git, and an OpenClaw installation (openclaw status). It also reads files under /home/node/.openclaw and /usr/local/lib/node_modules/openclaw — access to these paths is expected for migration, but copying identity and memory files to an external Git remote is disproportionate unless the user intentionally wants that. The export script also runs openclaw status which may reveal runtime info. The skill does not require or document credentials, so credential use is implicit and potentially surprising.
Persistence & Privilege: okalways:false and no modifications to other skills or system-wide agent settings are requested. The export creates a restore.sh in the archive and marks it executable (normal for self-contained restore). No elevated platform privileges or 'always' persistence were requested.