Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Modernize Move
v1.0.0Detects and modernizes outdated Move V1 syntax, patterns, and APIs to Move V2+. Use when upgrading legacy contracts, migrating to modern syntax, or convertin...
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (modernize Move V1→V2) aligns with the actions described (scan .move files, transform syntax/API, run tests). However, the SKILL.md explicitly requires running `aptos move test` and (when tests are missing) invoking a separate `generate-tests` skill. The package metadata declares no required binaries and no dependencies. Not declaring the aptos CLI and the dependency on another skill is an incoherence: a legitimate modernization workflow would need the Move/Aptos toolchain and any test-generation capability to be available or declared.
Instruction Scope
Instructions ask the agent to read all project source files, run shell commands (e.g., `aptos move test`), modify code (Write/Edit), and run iterative transforms with reversion on test failure. That scope is appropriate for modernization, but the skill also instructs invoking another skill (`generate-tests`) when tests are absent without declaring that dependency or describing how that skill is resolved. The workflow gives the agent permission to run Bash and edit files; the SKILL.md enforces user gates (present analysis and ask for scope), which mitigates surprise edits, but the implicit ability to run arbitrary shell commands is powerful—ensure the agent's runtime environment and available binaries are as expected.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is lower risk — nothing will be downloaded or installed automatically. The agent-only documentation and references are local files provided in the skill bundle.
Credentials
The skill declares no required environment variables, credentials, or config paths. The operations described (reading source files, running local tests, editing files) do not require secrets. That is proportionate. Just be aware that running `aptos move test` may read local config files (e.g., Move.toml or CLI configs) from the project directory; the skill does not declare or request access to unrelated credentials.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent inclusion or elevated platform privileges. The SKILL.md requires user confirmation before making edits, which appropriately limits autonomous destructive changes.
What to consider before installing
This skill appears to be a genuine Move modernization guide, but there are practical mismatches you should address before running it:
- Missing runtime dependency: SKILL.md assumes the aptos/Move CLI (`aptos move test`) is available, but the skill metadata does not declare that binary. Ensure the aptos CLI (or equivalent move test runner) is installed and at the expected PATH before invoking the skill.
- Undeclared skill dependency: The workflow will call a `generate-tests` skill if no tests exist; confirm that your agent has that skill available or provide tests yourself. The skill does not declare or bundle that dependency.
- Powerful permissions: The skill requests Bash and file Write/Edit capabilities and will modify source files. Although it promises an analysis report and explicit user confirmation gates, you should:
- Run it in a sandbox or feature branch, not directly on production code.
- Back up the repository (or ensure version control) before applying changes.
- Start with `syntax-only` (Tier 1) scope to see automated edits and test impact before permitting Tier 2/3.
- Manually verify that `aptos move test` passes locally and inspect diffs after each tier.
- Verify no unexpected config access: the skill may read project config files (Move.toml, test manifests). If you have secrets or CI credentials in the repo, review what the aptos CLI will access.
If you cannot confirm the aptos CLI or the generate-tests skill availability, treat the omission as a blocker and request an updated skill manifest that lists those runtime dependencies explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk9782cc3jk41z8sre825cgmj3x835d0v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.