Agent Migration

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent-migration skill, but it needs review because its high-permission helper scripts can copy session data using unvalidated agent IDs.

Install only if you intentionally need to migrate an OpenClaw agent and can tolerate persistent local changes. Use simple agent IDs only, back up OpenClaw config and agent/session directories first, review whether old session history should be copied, and avoid deleting the old agent until the migrated agent is verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Session Persistence

Medium

Category: Rogue Agent
Content: - Confirm old id, new id, new workspace, and whether model also changes. - Migrate prior session content by default unless the user explicitly says not to. - Do not skip migration just because a session does not look active. - Do not hard-edit active lock files or force-rewrite a live session shell. - Restart is required after migration. - Never delete the old agent without a separate user confirmation.
Confidence: 78% confidence
Finding: write a live session shell. - Restart is required after migration. - Never delete the old agent without a separate user confirmation. ## Files involved - config: `~/.openclaw/openclaw.json` - agent d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal