The Agent Skills Directory

[DATA_EXFILTRATION]: The migration script (scripts/openclaw_to_hermes.py) is designed to read sensitive files from the user's home directory, specifically within ~/.openclaw. This includes .env files, openclaw.json, and auth-profiles.json, which often contain model provider API keys (OpenAI, Anthropic, OpenRouter) and service tokens (Telegram). While this involves access to credentials (CREDENTIALS_UNSAFE), the data is moved locally from the OpenClaw configuration to the Hermes configuration (~/.hermes/.env). No network exfiltration or remote transmission of this data was detected in the script's logic.
[COMMAND_EXECUTION]: The skill requires the execution of a Python script (scripts/openclaw_to_hermes.py) via the system terminal to perform the migration. The script uses standard libraries (os, shutil, pathlib) for file system operations. It does not utilize eval() or exec() on untrusted input, and command arguments are handled via argparse.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) because it ingests untrusted text data (such as MEMORY.md, USER.md, and SOUL.md) from a previous agent's environment and merges it into the current agent's long-term memory.
Ingestion points: ~/.openclaw/workspace/MEMORY.md, ~/.openclaw/workspace/USER.md, and ~/.openclaw/workspace/SOUL.md (processed in scripts/openclaw_to_hermes.py).
Boundary markers: The script uses ENTRY_DELIMITER (\n§\n) when writing to the target memory files, but does not wrap the imported content in explicit instruction-isolation markers.
Capability inventory: The agent has the capability to execute shell commands (via the migration script) and write to the local file system.
Sanitization: The script performs 'rebranding' via regex (replacing 'OpenClaw' with 'Hermes'), but does not filter for malicious instructions embedded in the imported text. The risk is considered low as the source is the user's own previous agent data.

openclaw-migration