EasyClaw Brain Migration

Security checks across malware telemetry and agentic risk

Overview

This migration skill is mostly purpose-aligned, but it can persistently copy sensitive legacy assistant memory into OpenClaw and may replace the active MEMORY.md file despite describing an additive, review-first workflow.

Use the report and staging steps first, then inspect imports/easyclaw before importing anything into the active workspace. Do not run --import-memory unless you are comfortable replacing active OpenClaw MEMORY.md from legacy EasyClaw data; keep the generated backup and manually merge if you want additive migration only. Review old prompt and memory files for stale, sensitive, or unsafe instructions before making them active.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to run staging/import scripts that copy files into the current workspace, back up targets, and import memory content, which are clear file-write operations. Because the skill declares no permissions while directing write-capable behavior, it weakens permission transparency and can enable unintended modification of workspace state or sensitive files if the scripts or paths are broader than expected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal