Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Migrate
v1.0.0Export and import Clawdbot installations for migration between machines. Use when the user wants to migrate Clawdbot to a new computer, backup their setup, or restore from a backup. Handles workspace files, config, WhatsApp sessions, and optionally credentials.
⭐ 0· 1.5k·2 current·2 all-time
by@mrgoodb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: they create a tarball of a workspace and ~/.clawdbot config and restore it. However, the registry metadata declared no required config paths or env vars while the scripts explicitly use $HOME/.clawdbot and honor a CLAWDBOT_WORKSPACE env var — an inconsistency between claimed requirements and actual behavior.
Instruction Scope
SKILL.md merely instructs running the provided export/import scripts. The scripts only perform local file operations (rsync/cp/tar) and produce a manifest including the host's hostname. They do not call external endpoints. They do, however, copy WhatsApp session files and optional credentials when requested — which is within the migration purpose but is highly sensitive and should be handled carefully.
Install Mechanism
Instruction-only skill with no install spec. No remote downloads or package installs are performed by the skill itself; the scripts rely on standard system tools (tar, rsync, cp, jq if present).
Credentials
The scripts access $HOME/.clawdbot and honor the CLAWDBOT_WORKSPACE env var, but the skill metadata lists no required config paths or env vars. The tool can optionally include credentials and WhatsApp sessions in the archive — these are legitimate for migration but are highly sensitive and should be explicitly declared and justified in metadata.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It restores files into user directories and prompts before overwriting unless --force is used.
What to consider before installing
This skill appears to implement a legitimate Clawdbot migration (it archives/restores workspace and ~/.clawdbot), but be cautious before using it:
- Metadata mismatch: the package metadata claims no config paths or env vars, but the scripts read/write $HOME/.clawdbot and respect CLAWDBOT_WORKSPACE. Treat that as a red flag about accuracy of the listing.
- Sensitive data: the export can include WhatsApp sessions and stored credentials. Only create/transfer such archives over trusted, encrypted channels and avoid including credentials unless absolutely necessary.
- Inspect archives before restoring: an imported archive may contain code or scripts inside the workspace that could run later (for example when you start Clawdbot). Extract and inspect the archive contents before copying into your live workspace.
- Backup first: keep a backup of your current workspace/config before running import, especially if using --force.
- Least privilege: run export/import as your normal user (not root) and avoid restoring third-party archives to privileged locations.
- Integrity & provenance: get the archive from a trusted source; consider checksums or signatures when transferring between machines.
- Additional note: the scripts conditionally use jq to edit config; jq is optional but if present will be used. If you want stricter behavior, inspect the scripts and run them manually.
Given the mismatches and the ability to move highly sensitive data, review the scripts and confirm the archive source before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk9745cwf0nyzem472g0xps4nex804vh2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.