claw2tencentcloud
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The migration purpose is clear, but batch mode asks users to run an unreviewed downloaded script with powerful cloud API keys and server passwords.
Treat this as a Review item, not confirmed malware. Only use it if you trust the publisher and can review the downloaded script first. Use temporary least-privilege cloud credentials, verify SSH hosts, make backups, run during a maintenance window, and revoke credentials plus delete migration archives after completion.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote script changes or is compromised, it could run unreviewed code while holding cloud API keys and server login credentials.
Batch migration depends on a remote Python script that is not included in the skill package, with no checksum, signature, pinned version, or reviewed source in the artifacts.
下载批量迁移脚本:`https://go2tencentcloud-1251783334.cos.ap-guangzhou.myqcloud.com/others/claw2tencentcloud.py` ... 执行脚本
Do not run the downloaded script until you have reviewed it and verified its source and integrity. Prefer a packaged, version-pinned script with a checksum or signature.
These credentials can potentially control many cloud servers and automation actions, so misuse or leakage could affect more than the intended migration targets.
The skill requests broad read/write and automation permissions for Tencent Cloud, plus source and destination cloud API keys, without resource-, region-, or time-scoping in the artifact.
腾讯云需要以下权限:`QcloudCVMFullAccess`, `QcloudLighthouseFullAccess`, `QcloudTATFullAccess`
Use temporary, least-privilege credentials scoped to the exact instances and regions needed, revoke them after migration, and avoid using long-lived account-wide keys.
A wrong or spoofed host could receive credentials, and passwords may be exposed through shell history or process listings.
The single-instance workflow uses plaintext password-based SSH in command arguments and disables SSH host-key checking while performing service stops and data transfer.
sshpass -p '{password}' ssh -o StrictHostKeyChecking=no {username}@{src_ip} "openclaw gateway stop"Verify the SSH host fingerprint, prefer SSH keys over passwords, avoid disabling host-key checking, and run commands only after explicit user confirmation.
Mistakes can cause downtime or overwrite the wrong OpenClaw deployment.
The skill correctly discloses that migration stops the source and overwrites target data; in batch mode, wrong mappings or incompatible data could affect multiple instances.
开始迁移时源端 OpenClaw 实例会被停止 ... 迁移后目标 OpenClaw 实例的数据会被源端 OpenClaw 实例的数据覆盖
Use a maintenance window, verify every source-target mapping, keep tested backups, and require a final confirmation before running migration commands.
Sensitive OpenClaw data may remain in migration archives or backups after the move.
The workflow copies the entire persistent OpenClaw state directory into archives and between machines. That is central to migration, but it may include private configuration or agent state.
tar -czf /home/openclaw-state.tgz -C /root .openclaw ... scp ... /home/openclaw-state.tgz /home
Protect the archive and backup files, restrict file permissions, transfer only to trusted machines, and delete temporary archives after a verified migration.