ClawHub

Tvs Cc Migrator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Claude Code backup and restore skill, but its restore guide can execute command strings taken from a backup manifest and its backups may include sensitive local configuration.

Install only if you are comfortable giving the skill access to your Claude Code configuration. Review the scan output carefully, prefer clearing sensitive settings fields, keep backup archives private, and do not restore or execute manifest-provided reinstall commands from a backup you do not fully trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs the agent to read and execute `reinstall_commands` from `manifest.json`, which is backup-supplied content and therefore untrusted input. This turns a restore workflow into arbitrary command execution with user confirmation, creating a clear path for malicious manifests to run attacker-controlled commands on the host.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The scan mode enumerates and reports nearly any non-hidden, non-skipped file or directory under ~/.claude, not just the explicitly described configuration items. That broad discovery can expose unexpected private data and materially exceeds the principle of least surprise for a backup tool advertised around a mostly fixed config set.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The actual backup path copies dynamically discovered root-level files and directories from ~/.claude, so the script can archive more data than users would reasonably infer from the description. This can unintentionally capture sensitive artifacts, local state, or future Claude files that were never intended for migration.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Scan mode emits hostname, username, and platform in its JSON report even though those identifiers are not required to discover backupable config. While not a direct compromise, this increases privacy exposure and creates unnecessary system-identifying metadata that may be shared or stored downstream.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The guide offers a full-overwrite mode that replaces existing local configuration but does not present a clear, upfront warning about irreversible data loss before the user is asked to choose. In a migration context affecting `~/.claude`, this can lead to accidental destruction of local settings, skills, commands, or custom plugins.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description includes very broad everyday scenarios such as backing up config, migrating Claude Code, exporting settings, restoring config, and changing computers. In an agent ecosystem, overly broad activation language can cause this skill to run in contexts where the user did not explicitly intend filesystem backup/migration actions, increasing the chance of unnecessary access to sensitive ~/.claude contents and prompting users about secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
By default, backup mode copies settings.json including environment values, while only detecting sensitive keys rather than excluding them unless a special exclude token is supplied. This creates a high risk of credential leakage into backup archives that may be moved, uploaded, or stored less securely than the live machine.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The scan JSON includes host and user identifiers without an explicit user-facing disclosure, which can surprise users who expect only configuration inventory. This is primarily a privacy and metadata minimization issue rather than a direct security exploit, but it still increases exposure if reports are shared.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal