migrate-from-openclaw

No overt malware/backdoor behavior is present in the provided fragment (no network activity, no command execution, no dynamic code execution). However, the utility is security-sensitive: it resolves credentials from local config and environment variables and can optionally write the resolved secrets (full values) to an arbitrary file path specified by --write-env, while also emitting credential-adjacent information to logs (presence/source and partial masks). This creates meaningful risk in CI/logging or when CLI arguments/state directories are not strictly controlled.

SUSPICIOUS: the skill's behavior mostly matches its migration purpose, but it has a large trust footprint. The main concerns are raw credential extraction/writing, inherited third-party skills/plugins, and optional pnpm dlx installation of MCP packages from legacy config. This looks like a powerful migration helper with medium-high security risk, not confirmed malware.