Back to skill
Skillv1.0.0
VirusTotal security
Agent Migrate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:20 AM
- Hash
- ebc99eb9485d0bd377cf6643f5315247fb91ffc3266cbcefa03418330a288e2f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-migrate Version: 1.0.0 The skill provides high-privilege migration and backup capabilities that involve handling sensitive agent data, including identity files and configuration secrets. A significant security vulnerability exists in `scripts/sync-github.sh`, where the `jq`-based sanitization logic incorrectly checks values instead of key names for sensitive strings (e.g., 'key', 'token'), which will fail to redact actual API keys (e.g., 'sk-...') before pushing them to a remote GitHub repository. Furthermore, the scripts perform high-risk operations such as packaging the entire agent state into `/tmp` and executing generated shell scripts (`restore.sh`), which could be exploited if the agent is manipulated via prompt injection to use an attacker-controlled repository.
- External report
- View on VirusTotal