ClawHub

Openclaw Migrate

Security checks across malware telemetry and agentic risk

Overview

This migration skill does its advertised backup and restore job, but it can upload sensitive agent data and overwrite agent files with too little review or safety checking.

Review the scripts before installing. Use only a trusted private repository, inspect the exact backup contents before pushing, manually check openclaw.json.template for secrets, avoid using the force-push path, and restore only after backing up the target .openclaw directory or restoring into a staging directory first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script claims it backs up only installed skill names, but it also copies custom .skill files into the GitHub repository. Those files may contain sensitive prompts, logic, proprietary workflows, or embedded secrets, so the mismatch between documented and actual behavior can cause unintended data disclosure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The jq sanitization logic checks whether values contain substrings like key, token, or secret, instead of checking sensitive field names. As a result, credentials stored under keys such as api_key, token, secret, password, or similar may be copied into the backup unsanitized and then pushed to the remote repository.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises exporting full agent state and syncing/restoring it via a GitHub repository, but it does not warn about secrets exposure, sensitive data inclusion, or destructive overwrite risks during restore. In this context, users may reasonably assume the workflow is safe by default and could leak credentials, conversation history, tokens, or deploy an unintended state onto another server.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script exports workspace, configuration, skills, extensions, and optionally session/agent data into a predictable location under /tmp, which is commonly accessible to other local users and subject to accidental exposure. Because these archives may contain secrets, credentials, proprietary code, or session history, writing them to /tmp without permission hardening, encryption, or explicit warning creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The generated restore script extracts archives and copies files directly into the target directory with no confirmation, backup, or conflict checks, so existing files can be silently overwritten. If run against a populated environment, this can destroy configuration or replace trusted skills/extensions with older or altered content, leading to integrity and availability issues.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script collects local agent files and uploads them to a remote GitHub repository without a clear, explicit warning about what categories of data will leave the machine. In a skill context, users may execute helper scripts expecting routine sync behavior and inadvertently exfiltrate private memory, identity, or custom-skill data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The pull/restore flow writes files into the user's default .openclaw directory automatically by executing restore.sh from the cloned repository. This can overwrite local configuration, memory, and skill files without confirmation, creating integrity and persistence risks if the repository contents are stale or malicious.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script falls back to git push --force without a safety warning or confirmation. Force-pushing can overwrite remote history and destroy existing backups or unrelated repository contents, which is especially dangerous for a backup tool where preserving history is a core safety property.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal