openclaw-migration
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths to extract credentials and configuration data during the migration process.
- Evidence: The
scripts/openclaw_to_hermes.pyscript reads from~/.openclaw/.env,~/.openclaw/openclaw.json, and the~/.openclaw/credentials/directory to retrieve API keys and tokens for services including Telegram, OpenAI, and Anthropic. - [PROMPT_INJECTION]: The skill ingests untrusted data from the user's source environment and incorporates it into the agent's persona and memory, presenting an indirect prompt injection surface.
- Ingestion points: The
scripts/openclaw_to_hermes.pyscript reads user-supplied content fromSOUL.md,MEMORY.md, andUSER.md(as described inSKILL.md). - Boundary markers: Absent. There are no specific delimiters or instructions provided to the agent to distinguish between migrated content and system instructions during interpolation.
- Capability inventory: The skill has capabilities for file system writes and core configuration modification (
.env,config.yaml) within thescripts/openclaw_to_hermes.pyscript. - Sanitization: Basic string replacement for rebranding is performed via the
rebrand_textfunction, but no robust sanitization or validation of the ingested text is implemented to prevent instruction injection. - [COMMAND_EXECUTION]: The skill requires the agent to execute a local Python script with command-line arguments to perform migration tasks.
- Evidence:
SKILL.mdprovides instructions and examples for the agent to use the terminal tool to runpython3 scripts/openclaw_to_hermes.pywith various execution flags.
Audit Metadata