ClawHub
Back to skill
v1.0.1

OpenClaw Migration

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:59 AM.

Analysis

This is a conservative migration helper, but it relies on an external ClawMover CLI and sensitive migration secrets for backup/restore actions that can modify your OpenClaw setup after confirmation.

GuidanceBefore installing, verify that you trust ClawMover and the @clawmover/cli package. Prefer manual commands, run a simulated restore first, keep your dataSecretKey and verification code private, and only approve a real restore when you are ready for it to modify your local OpenClaw environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
For real restore, omit `--dest-path`, but only after explicit confirmation that the user wants to modify the local OpenClaw environment.

A real restore is a high-impact command that can change the local OpenClaw environment, but the artifact explicitly requires confirmation and recommends simulated restore first.

User impactIf approved, the agent may run migration commands that alter the local OpenClaw setup.
RecommendationUse the simulated restore path first, review the exact command, and only approve a real restore when you are ready to modify the local environment.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill depends on the published CLI package `@clawmover/cli`.

The skill relies on an external CLI package that is not included in the artifact set; this is purpose-aligned but users should be aware they are installing and trusting that package.

User impactInstalling the CLI modifies the host environment and places trust in the external @clawmover/cli package.
RecommendationVerify the package source before installation and prefer the manual install command if you want to review the step yourself.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Treat the following as sensitive:

- `dataSecretKey`
- verification codes
- any local paths that may reveal user-specific private data

The workflow requires sensitive migration secrets and verification codes, which can authorize backup or restore activity.

User impactSharing the migration key or verification code with the agent gives it enough information to help perform the migration workflow.
RecommendationOnly provide these values when needed, avoid reusing them elsewhere, and prefer masked/manual commands unless you intentionally want the agent to run the workflow.