ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

claw2tencentcloud

This skill helps users migrate OpenClaw data to Tencent Cloud instances. It supports three scenarios — single instance migration to the current machine, batc...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 36 · 0 current installs · 0 all-time installs
by@hoikin-yiu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (migrating OpenClaw to Tencent Cloud) aligns with the actions described (single-instance local migration, batch migration to Tencent Cloud). However, the skill metadata declares no required credentials or env vars while the SKILL.md clearly asks for SSH credentials and cloud API keys for batch migration — an inconsistency between declared requirements and runtime instructions.
!
Instruction Scope
Runtime instructions tell the operator to install packages (apt install sshpass), stop remote services, tar and scp files from remote /root, overwrite local /root/.openclaw, edit configuration files, and restart openclaw. Those operations are powerful and destructive (stop remote service, overwrite local data). The SKILL.md also instructs collecting and entering plaintext passwords and cloud SecretId/SecretKey values. The instructions go beyond passive guidance and include exact commands that will change system state and handle sensitive secrets.
!
Install Mechanism
Although this is instruction-only, the batch workflow directs users to download and run a Python script from a Tencent COS URL (https://go2tencentcloud-1251783334.cos.ap-guangzhou.myqcloud.com/others/claw2tencentcloud.py). Downloading and executing arbitrary scripts from a cloud bucket is high risk because the script's contents are not included in the skill and could perform actions unrelated to the stated task. The install mechanism is not a vetted release host (e.g., GitHub releases or an official project site) and the skill offers no integrity checks (hash/signature).
!
Credentials
The SKILL.md requires SSH username/password for source instances and (for batch mode) source and target cloud SecretId/SecretKey pairs — these are plausible and necessary for cross-account migration. However, the skill metadata declared no required env vars or primary credential, which is inconsistent. Also, using sshpass to pass plaintext passwords on the command line and requesting full cloud API keys (potentially with broad policies) increases attack surface; least-privilege guidance or scoped roles are not provided.
Persistence & Privilege
The skill does not request always:true and is instruction-only, so it does not persist as a long-lived component. Still, the instructions require privileged operations on the host (installing packages, writing to /root, restarting services) and use credentials that grant broad access — these are high-privilege actions at runtime even if the skill itself is non-persistent.
What to consider before installing
This skill appears to implement a real OpenClaw-to-Tencent migration flow, but it contains risky and inconsistent elements. Before running anything: (1) Do NOT paste credentials or run the downloaded Python script without inspecting its contents — download the file and open it locally to verify what it does. (2) Prefer SSH key-based access rather than sshpass/cleartext passwords; avoid passing passwords on the command line. (3) Validate the COS URL and request a checksum or signed release from the provider; treat the script as untrusted until verified. (4) Ensure cloud SecretId/SecretKey pairs have least privilege (grant only the exact Tencent policies needed) and rotate credentials after use. (5) Backup the target instance (and test on non-production systems) because the procedure overwrites /root/.openclaw and restarts services. (6) If you are not comfortable auditing the external script or performing privileged operations, ask for an alternative that provides code transparency or a vetted installer. Installing and running the provided commands without these precautions could result in data loss or credential exposure.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97cq61ajcrj8f08c7jg5tstsn83msfc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw 数据迁移助手

帮助用户将 OpenClaw 数据迁移到腾讯云实例,支持单实例迁移、批量迁移和自定义迁移方案。

技能概览

本技能包含三种能力:

  1. 技能 1 — 单实例迁移:将单个 OpenClaw 数据迁移到当前机器
  2. 技能 2 — 批量迁移:批量迁移多个 OpenClaw 数据到腾讯云 Lighthouse 或 CVM 实例
  3. 技能 3 — 自定义方案:对于不满足技能 1 和技能 2 的场景,给出相应的迁移方案

技能 1:迁移单个 OpenClaw 数据到当前机器

迁移风险告知

在开始迁移前必须告知用户以下风险:

  • 开始迁移时源端 OpenClaw 实例会被停止
  • 迁移后当前 OpenClaw 实例的数据会被源端 OpenClaw 实例的数据覆盖

输入参数

参数说明必填
src_ip源端 OpenClaw 实例的公网 IP 地址
username源端 OpenClaw 实例的登录用户名
password源端 OpenClaw 实例的登录密码

迁移步骤

提示用户输入上述 3 个参数,然后将 src_ipusernamepassword 替换到以下命令中逐步执行:

# 1. 安装 sshpass
apt install -y sshpass;

# 2. 停止源端 OpenClaw 服务
sshpass -p '{password}' ssh -o StrictHostKeyChecking=no {username}@{src_ip} "openclaw gateway stop";

# 3. 打包源端数据(/root/.openclaw 目录可能数据量较大,也可能不存在)
sshpass -p '{password}' ssh -o StrictHostKeyChecking=no {username}@{src_ip} "tar -czf /home/openclaw-state.tgz -C /root .openclaw";

# 4. 从源端拷贝数据到当前实例(耗时可能较久,提示用户耐心等待;失败可重试)
sshpass -p '{password}' scp -o StrictHostKeyChecking=no {username}@{src_ip}:/home/openclaw-state.tgz /home;

# 5. 备份当前 OpenClaw 实例数据(如源端数据不兼容可用此备份恢复)
cp -r /root/.openclaw /home/openclaw-backup

# 6. 覆盖当前 OpenClaw 实例数据
tar -xvzf /home/openclaw-state.tgz -C /root;

# 7. 修复配置文件路径(源端与当前版本可能不一致)
sed -i 's|/app/extensions/|/root/.openclaw/extensions/|g' /root/.openclaw/openclaw.json

# 8. 修复权限并重启
chmod 0600 /root/.openclaw/openclaw.json;
openclaw gateway restart;

常见问题

  1. 用户源端实例未允许 SSH 访问
  2. 用户源端实例 OpenClaw 数据不在 /root 目录下
  3. 迁移期间源端 OpenClaw 数据被修改
  4. 源端 OpenClaw 版本与当前版本不一致,配置文件不兼容

技能 2:批量迁移多个 OpenClaw 数据到腾讯云实例

迁移风险告知

在开始迁移前必须告知用户以下风险:

  • 开始迁移时源端 OpenClaw 实例会被停止
  • 迁移后目标 OpenClaw 实例的数据会被源端 OpenClaw 实例的数据覆盖

输入参数

参数说明必填
源端云平台的云 API 访问密钥SecretId + SecretKey
腾讯云目标账号的云 API 访问密钥SecretId + SecretKey
待迁移的 OpenClaw 实例列表见下方格式
源端云平台名称如腾讯云、阿里云等选填
源端实例所在地域如 ap-guangzhou选填
目标实例所在地域如 ap-guangzhou选填

实例列表格式(每行一组,空格分隔):

<源端实例ID> <源端登录账号> <源端登录密码> <目标端实例ID>

示例:

lhins-abc12345 ubuntu MyP@ssw0rd ins-xyz67890      # 腾讯云LH -> 腾讯云CVM

输出

结合脚本执行结果的文件,汇总迁移的汇总结果。

迁移步骤

  1. 提示用户输入上述参数
  2. 下载批量迁移脚本:https://go2tencentcloud-1251783334.cos.ap-guangzhou.myqcloud.com/others/claw2tencentcloud.py
  3. 读取脚本的说明,按照说明填充脚本中的需要参数
  4. 执行脚本。脚本会自动迁移多个 OpenClaw 实例到腾讯云实例,并结合脚本生成的结果文件生成迁移结果。因数据量大、机器带宽小等因素,脚本执行可能耗时较久,提示用户耐心等待

详细的迁移命令参考见 references/migration_commands.md

常见问题

  1. 用户源端实例未允许 SSH 访问
  2. 用户源端实例 OpenClaw 数据不在 /root 目录下
  3. 迁移期间源端 OpenClaw 数据被修改
  4. 源端 OpenClaw 版本与当前版本不一致,配置文件不兼容
  5. 云 API 密钥缺少权限,腾讯云需要以下权限:
    • CVM 可读写权限:QcloudCVMFullAccess
    • Lighthouse 可读写权限:QcloudLighthouseFullAccess
    • TAT(腾讯自动化助手)可读写权限:QcloudTATFullAccess

技能 3:自定义迁移方案

当技能 1 和技能 2 无法满足用户场景时,需要收集以下信息后给出迁移方案:

  • 源端 OpenClaw 实例的部署情况
  • 网络环境
  • 目的实例类型等信息

根据上述信息提供可执行的迁移方案。

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…