Skillv0.1.0

ClawScan security

EasyClaw Brain Migration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 6:16 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (locating, staging, and optionally importing EasyClaw workspace files into an OpenClaw workspace); it reads and copies files under the user's home directory but does not perform network I/O or request unrelated credentials.
Guidance: This skill appears to do exactly what it claims: scan ~/.easyclaw/workspace, stage files into ~/.openclaw/workspace/imports/easyclaw, and optionally import MEMORY.md and memory/ into the active workspace. Before running: (1) run python3 scripts/report_easyclaw_brain.py first to see what will be found; (2) inspect the staged files in imports/easyclaw/ before using --import-memory; (3) be aware MEMORY.md and memory/ may contain sensitive secrets—do not import blindly; (4) consider making a full backup of ~/.openclaw/workspace before importing; (5) review the two included scripts if you want assurance there is no hidden behavior (they are short and filesystem-only); and (6) note that launchd plists are only listed, not auto-copied—automation wiring must be rebuilt manually. Proceed if you accept the tool will read and copy files under your home directory.

Review Dimensions

Purpose & Capability: okThe skill's name/description match the included scripts and SKILL.md: both search ~/.easyclaw/workspace, stage files into ~/.openclaw/workspace/imports/easyclaw, and optionally import MEMORY.md and memory/ into the active workspace. Nothing requested or included (no network code, no extra credentials) is inconsistent with a migration tool.
Instruction Scope: noteInstructions explicitly tell the agent to run the two included Python scripts which enumerate, stage, and (optionally) import files. This requires reading many user-home files (AGENTS.md, SOUL.md, MEMORY.md, memory/, LaunchAgents listings). That is appropriate for migration, but it does mean the skill will read/copy potentially sensitive workspace data—users should review staged files before importing.
Install Mechanism: okNo install spec is present and this is an instruction+script skill. There is no package download or archive extraction; the code runs locally with the user's Python interpreter. This is a low install risk.
Credentials: okThe skill requires no environment variables or external credentials. The scripts operate on filesystem paths under the user's home directory only, which is proportionate to the migration task.
Persistence & Privilege: okThe skill is not marked always:true and does not modify other skills or system-wide agent settings. It performs filesystem operations only within the user's workspace paths and creates backups/staged copies within ~/.openclaw/workspace; autonomous invocation is allowed by default (not a red flag on its own).