Dialogflow CX to CX Agent Studio Migration Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate migration helper, but it uses your Google Cloud login and includes configurable API base URLs that could expose that token if misused.
Install only if you are comfortable granting the script Google Cloud/Dialogflow/CES access for the target projects. Use the default Google API endpoints, run export-only first when possible, and protect the generated export files because they may contain sensitive agent configuration.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user or agent supplies a non-Google base URL, that endpoint could receive a Google access token with Dialogflow/CES or cloud-platform authority.
The script can attach a Google OAuth bearer token obtained from local credentials to URLs derived from configurable base-url arguments, rather than visibly restricting token use to Google API hosts.
parser.add_argument("--dfcx-base-url", default=DEFAULT_DFCX_BASE)
parser.add_argument("--ces-base-url", default=DEFAULT_CES_BASE)
headers.setdefault("Authorization", f"Bearer {token}")Use only the default official Google API endpoints unless you have verified the destination. The skill author should restrict base URLs to trusted Google domains or add explicit warnings and confirmations before sending tokens to custom endpoints.
Running the full migration can create CX Agent Studio resources and change the app root agent in the selected Google Cloud project.
The skill performs cloud-side mutations as part of its normal migration workflow.
Creates a CES app and a CES agent ... Sets root agent on the CES app
Confirm the project, location, app, and agent names before running. Consider using the documented --export-only mode first to inspect the report before making CES changes.
Sensitive bot configuration or business logic may remain on disk after the migration.
The skill stores a full exported agent package and indexed report locally, which may contain proprietary flows, intents, webhooks, test cases, or configuration details.
Exports full CX agent packages ... `dfcx_migration_output/dfcx_agent_export.zip` ... `dfcx_migration_output/export/` ... `dfcx_migration_output/migration_report.json`
Store the output directory securely, avoid sharing it unintentionally, and delete or archive it according to your organization’s data-handling policy.
Users may need to resolve Python dependencies themselves, which can lead to inconsistent or untrusted package versions.
The skill includes a runnable Python script but does not provide dependency installation or pinned package provenance in the install metadata.
No install spec — this is an instruction-only skill.
Install dependencies from trusted sources and prefer a pinned requirements file or controlled Python environment before running the script.