Cache Migration
WarnAudited by ClawScan on May 16, 2026.
Overview
This skill matches its cache-migration purpose, but its Windows scripts can execute unsafe path text and make destructive persistent file-system changes without enough safeguards.
Only use this on Windows after backing up important app data. Carefully verify every SourcePath and destination path, avoid running as administrator unless needed, close the affected apps first, and do not pass any path text copied from an untrusted source until the ExpandString behavior is fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental path value could run unintended PowerShell commands on the user's machine.
PowerShell ExpandString can evaluate expandable PowerShell syntax, including subexpressions, in user-supplied path parameters before path validation. A crafted path string could therefore execute commands, especially risky if the script is run as administrator.
$SourcePath = $ExecutionContext.InvokeCommand.ExpandString($SourcePath); $DstPath = $ExecutionContext.InvokeCommand.ExpandString($DstPath)
Do not evaluate path strings as PowerShell. Replace this with safe environment-variable expansion, validate paths, reject PowerShell metacharacters/subexpressions, and require explicit user confirmation before execution.
A wrong source path could remove important local data or leave an application broken if the Junction is not created correctly.
The generic migration script accepts arbitrary paths, recursively deletes the source directory, and creates a Junction without an allowlist, dry run, confirmation prompt, backup, or rollback if later steps fail.
param(... [string]$SourcePath, ... [string]$DstPath) ... Remove-Item -Path $SourcePath -Recurse -Force -ErrorAction Stop ... cmd /c "mklink /J ..."
Add path scoping, explicit confirmation showing source and destination, copy-integrity checks, backups, and rollback behavior before deleting the original directory.
VSCode extensions, caches, or launch behavior could be partially migrated, deleted, or left in a broken state.
The VSCode migration function ignores copy errors and then deletes the original directory. The same script also applies this across multiple cache/extension directories and can modify VSCode launchers and settings, so one failed copy or bad path can affect future application behavior.
Copy-Item -Path "$Src\*" -Destination $Dst -Recurse -Force -ErrorAction SilentlyContinue; Remove-Item -Path $Src -Recurse -Force -ErrorAction Stop
Fail closed on copy errors, verify file counts or hashes before deletion, back up launcher/settings files, and provide a documented restore command.
Running as administrator can let mistakes affect more of the system than a normal user process would.
The skill discloses that it may require administrator PowerShell. Elevated execution is related to system-level filesystem changes, but it increases the impact of path mistakes or script flaws.
适用系统:Windows 10/11(需管理员权限运行 PowerShell)
Run without administrator rights when possible, and only elevate after reviewing the exact paths and commands.
Users may not realize this is a Windows-only script package with local destructive capabilities before invoking it.
The metadata does not provide provenance and does not declare the Windows/PowerShell-specific runtime requirements, even though the included artifacts are PowerShell scripts for Windows filesystem changes.
Source: unknown; Homepage: none; OS restriction: none; Required binaries (all must exist): none
Publisher should declare Windows/PowerShell requirements and provenance. Users should inspect the scripts locally before running them.