Migrate
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: migrate Version: 1.0.0 The skill is designed for migrating Clawdbot installations, which includes handling sensitive configuration and data. It is classified as suspicious due to the explicit capability to export and import credentials via the `--include-credentials` flag, as documented in `SKILL.md` and implemented in `scripts/export.sh` and `scripts/import.sh`. While this feature is opt-in and includes a warning, the direct handling of credentials represents a high-risk capability that could lead to accidental exposure or misuse, even without clear evidence of intentional malicious exfiltration to external endpoints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the archive may be able to reuse the WhatsApp session or access copied credentials if they were included.
The export copies WhatsApp session state by default and can copy credentials when the user passes --include-credentials; these are account-access materials placed into a portable archive.
cp -r "$CONFIG_DIR/whatsapp" "$STAGING/config/" ... cp -r "$CONFIG_DIR/credentials" "$STAGING/config/"
Treat exports like sensitive backups: encrypt or otherwise protect them, transfer only through trusted channels, and avoid --include-credentials unless absolutely necessary.
Using the wrong or tampered archive could overwrite your workspace/config or install unwanted managed skills.
The import can overwrite without prompting when --force is used and restores managed skills from the archive, which is expected for migration but changes local agent behavior.
--force|-f) FORCE=true; shift ;; ... cp -r "$STAGING/config/skills" "$CONFIG_DIR/"
Import only archives you created or fully trust, inspect contents before restoring, avoid --force unless needed, and keep a backup of the existing installation.
A backup made with --include-sessions may expose private conversations or restore old context into a new installation.
When requested, the export includes agent session transcripts/persistent conversation state, which can contain private data or context reused after import.
if [ "$INCLUDE_SESSIONS" = true ] && [ -d "$CONFIG_DIR/agents" ]; then ... cp -r "$CONFIG_DIR/agents" "$STAGING/config/"
Only include sessions when needed, store those archives securely, and review or delete sensitive transcripts before sharing or transferring the backup.