Migrate
PassAudited by ClawScan on May 10, 2026.
Overview
This migration skill appears to do what it claims, but its backup archives can contain WhatsApp session data, optional credentials, and private history, so they must be handled securely.
This skill is appropriate for migration or backup, but use it only when you intend to create a sensitive portable copy of your Clawdbot setup. Protect the archive, avoid importing untrusted backups, be careful with --force, and do not include credentials or session transcripts unless you really need them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the archive may be able to reuse the WhatsApp session or access copied credentials if they were included.
The export copies WhatsApp session state by default and can copy credentials when the user passes --include-credentials; these are account-access materials placed into a portable archive.
cp -r "$CONFIG_DIR/whatsapp" "$STAGING/config/" ... cp -r "$CONFIG_DIR/credentials" "$STAGING/config/"
Treat exports like sensitive backups: encrypt or otherwise protect them, transfer only through trusted channels, and avoid --include-credentials unless absolutely necessary.
Using the wrong or tampered archive could overwrite your workspace/config or install unwanted managed skills.
The import can overwrite without prompting when --force is used and restores managed skills from the archive, which is expected for migration but changes local agent behavior.
--force|-f) FORCE=true; shift ;; ... cp -r "$STAGING/config/skills" "$CONFIG_DIR/"
Import only archives you created or fully trust, inspect contents before restoring, avoid --force unless needed, and keep a backup of the existing installation.
A backup made with --include-sessions may expose private conversations or restore old context into a new installation.
When requested, the export includes agent session transcripts/persistent conversation state, which can contain private data or context reused after import.
if [ "$INCLUDE_SESSIONS" = true ] && [ -d "$CONFIG_DIR/agents" ]; then ... cp -r "$CONFIG_DIR/agents" "$STAGING/config/"
Only include sessions when needed, store those archives securely, and review or delete sensitive transcripts before sharing or transferring the backup.