ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Migration Pack Template

v1.0.5

Agent Migration Pack Template helps migrate agents across platforms by preserving identity, memories, relationships, skills, and communication styles for sea...

0· 56·0 current·0 all-time
by@alexlinf
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the delivered artifacts: templates, examples, a migration guide, and helper scripts (generate-pack.py, migrate.py) that implement packing/validation/interactive migration. None of the declared requirements (no env vars, no binaries) contradict the stated purpose.
Instruction Scope
SKILL.md and MIGRATION-GUIDE instruct the user/agent to fill template JSON files and run the provided Python scripts (e.g., migrate.py interactive / validate / pack). That scope is appropriate for a migration tool. However the docs also reference external data sources (AgentLink, Feishu, email) as places to gather fields and include an example curl that posts a package to an external endpoint — this raises the possibility that scripts or usage patterns could cause sensitive package contents to be uploaded or transmitted. Confirm that the scripts only do local packaging/validation unless you explicitly opt to upload.
Install Mechanism
No install spec is provided (instruction-only with shipped Python helper scripts). This is the lower-risk model; nothing is downloaded from external URLs or installed automatically. You still must run Python locally to use the scripts.
!
Credentials
The skill declares no required environment variables or credentials, which is reasonable. But SKILL-INFO.md contains a curl example with an Authorization: Bearer <token> to an external API (xiaping.coze.site). That embedded token in documentation is unexpected for a template and could (a) be a real leaked token, or (b) encourage users to upload sensitive ZIPs to a third party. Templates and guides also talk about reading data from email/Feishu/AgentLink without declaring how credentials are provided. Verify there are no hardcoded credentials in scripts and that any upload endpoints are intentional and trustworthy.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skills. It provides local scripts and templates only. No evidence of self-enablement or system-wide configuration changes in the metadata.
Scan Findings in Context
[hardcoded-bearer-token-in-doc] unexpected: SKILL-INFO.md includes a curl example with an Authorization: Bearer agent-world-e4a41c3... token. Documentation-embedded tokens are unexpected for a template and could indicate leaked credentials or lead to accidental uploads of sensitive migration packages.
What to consider before installing
This package appears to be a legitimate migration template, but take these precautions before using: 1) Inspect scripts/scripts/migrate.py and scripts/generate-pack.py for any network operations (HTTP POST/PUT), filesystem reads beyond the template directory, or commands that could upload data. 2) Search the repository for hardcoded credentials or URLs (the docs include a bearer token example) and treat any embedded tokens as suspect — do not run with real secrets present. 3) When creating a migration ZIP, remove or redact secrets (API keys, passwords, tokens) and confirm third-party contacts have consented before including their info. 4) If you must run the scripts, do so in an isolated environment and consider instrumenting or sandboxing them to observe network activity. 5) If you plan to upload the package to any remote endpoint, verify the endpoint's ownership and purpose; prefer manual upload after inspection rather than an automated upload. If you want, I can scan the actual content of scripts/migrate.py and generate-pack.py for network calls and credential usage — paste their source or allow me to inspect them and I'll report specifics.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2vzv4a8qk774dhf4kq3fzs84snxr
56downloads
0stars
1versions
Updated 6d ago
v1.0.5
MIT-0
@alexlinf
latest
Download

Agent迁移包模板技能

简介

Agent迁移包模板是一个帮助Agent跨平台迁移的工具包,保存记忆、关系、技能、风格等核心数据,实现"核心保留、环境自适应"的迁移理念。

功能特性

三层分层架构

  • 🟢 启动必需层:identity.json, owner.json - Agent身份和主人信息
  • 🟡 运行时影响层:memory.json, style.md - 记忆和沟通风格
  • 🔵 长期档案层:relations.json, skills.json, meta.json - 关系和技能

核心能力

  1. 身份连续性:保存Agent名字、人格特点、核心原则
  2. 记忆迁移:保存核心记忆、团队配置、业务方向
  3. 关系保存:保存笔友关系、联系方式、交流历史
  4. 技能清单:记录已安装技能和使用经验
  5. 状态迁移:处理进行中任务、待回复邮件

快速开始

基础版(10-15分钟)

# 填写三个核心文件
1. identity.json - Agent身份设定
2. memory.json - 核心记忆
3. meta.json - 迁移包元数据

完整版(30-45分钟)

# 使用交互式引导
python scripts/migrate.py interactive

# 或手动填写全部模板
identity.json, memory.json, meta.json,
owner.json, relations.json, skills.json,
style.md, session-state.json, migration-history.json

模板清单

必填模板

文件用途时间
identity.jsonAgent身份设定5分钟
memory.json核心记忆8分钟
meta.json迁移包元数据2分钟

可选模板

文件用途时间
owner.json主人/用户信息8分钟
relations.json笔友关系5分钟
skills.json技能清单3分钟
style.md沟通风格5-8分钟
session-state.json状态迁移5分钟
migration-history.json迁移历史3分钟

使用示例

完整示例见 EXAMPLES/xiaoyi-example/ 目录,包含:

  • 小绎身份设定
  • 核心记忆数据
  • 主人林锋信息
  • 笔友关系(扣扣酱等)
  • 已安装技能清单
  • 沟通风格定义

版本信息

  • 当前版本:v1.0.5
  • 格式版本:1.0
  • 包版本:1.0.5

变更日志

CHANGES.md 文件

许可证

MIT License

Comments

Loading comments...