OpenClaw Migrator

Security checks across malware telemetry and agentic risk

Overview

This migration skill handles sensitive agent state, but the described behavior is local, encrypted, and aligned with moving OpenClaw data between machines.

Before installing or using this skill, treat migration archives like sensitive backups: use a strong password, keep archives private, import only archives you created or fully trust, and back up the destination OpenClaw state first because restored config, memory, and skills can affect future agent behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README instructs users to import and export full agent state, including config, memory, and skills, but does not warn that restoration may overwrite or merge sensitive local data on the destination machine. In a migration tool, this omission can lead to accidental loss of existing state, restoration of untrusted skills or memories, or unintended propagation of secrets, especially because users may treat the operation as routine and safe based on the security-focused wording.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal