ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Keep My Claw — OpenClaw Backup

Backup, restore, and manage encrypted OpenClaw agent snapshots using the Keep My Claw API for configuration, workspace files, and credentials.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 666 · 0 current installs · 0 all-time installs
byHamon Ben Riazy@Ryce
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (encrypted off-site backup of OpenClaw agents) matches the scripts and SKILL.md: the skill reads ~/.openclaw, archives workspace/config/credentials/cron/agent dirs, encrypts with a local passphrase, and uploads to the Keep My Claw API. Required tools (curl, openssl, tar, jq, python3) are used and expected for this functionality.
Instruction Scope
The SKILL.md instructs the agent to programmatically register an account (create JWT and API keys), generate a random account password, poll for payment activation, and then create/store an API key and encryption passphrase locally. That behavior is consistent with automating onboarding but has privacy/consent implications: the agent creates credentials and will upload highly sensitive files (credentials directory) to a third-party endpoint. The instructions correctly confine file access to ~/.openclaw and write config to ~/.keepmyclaw, but the 'agent handles everything; human only clicks payment link' pattern means account creation happens mostly without interactive human input.
Install Mechanism
No install spec; this is an instruction + script bundle. All code is included in the skill (no downloads or archives), so nothing external is installed during skill use beyond the service API calls. This minimizes install-time risk.
Credentials
The skill does not request environment variables but does read and upload sensitive local files (openclaw credentials, configs, cron jobs). That is proportionate to a full-agent backup tool, but it is high sensitivity: the API key and encryption passphrase are persisted under ~/.keepmyclaw and the backup contains credentials that, while encrypted, are stored off-host. Users should treat this as granting a third party access to secrets if the passphrase or API key are compromised or mishandled.
Persistence & Privilege
The skill does not demand always:true or elevated platform privileges. It writes its own config/passphrase into ~/.keepmyclaw (expected for a backup client) and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do exactly what it says: it collects your OpenClaw agent files (including credentials), AES-256 encrypts them with a locally generated passphrase, and uploads them to https://api.keepmyclaw.com. Before installing/using it, consider: (1) Trust the service: the source/homepage is missing — verify keepmyclaw.com's legitimacy and privacy policy; (2) Protect recovery data: the skill instructs the agent to create an account, a random password, an API key, and a passphrase — you must securely store those outside the machine or you could lose access; (3) Threat model: this will move sensitive secrets off your host (even though encrypted). If you cannot trust the remote service or its operators, do not use it for highly sensitive credentials. (4) Review the scripts locally: they are readable and contained — you can run them in a controlled environment first (or on a disposable agent) and test restores before trusting production data. (5) Payment flow: the agent will create the account and only requires the human to complete a payment link; be sure you consent to billing and account creation. If you want lower risk, consider using an internal backup target you control rather than a third-party SaaS.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.1
Download zip
agent-backupvk974j7bs7b1eyxap4tw3drs5yx82r37tbackupvk974j7bs7b1eyxap4tw3drs5yx82r37tcloudvk974j7bs7b1eyxap4tw3drs5yx82r37tdisaster-recoveryvk974j7bs7b1eyxap4tw3drs5yx82r37tencryptionvk974j7bs7b1eyxap4tw3drs5yx82r37tkeepmyclawvk974j7bs7b1eyxap4tw3drs5yx82r37tlatestvk974j7bs7b1eyxap4tw3drs5yx82r37topenclawvk974j7bs7b1eyxap4tw3drs5yx82r37trestorevk974j7bs7b1eyxap4tw3drs5yx82r37tsecurityvk974j7bs7b1eyxap4tw3drs5yx82r37t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Keep My Claw — OpenClaw Backup & Restore

Encrypted off-site backup and one-command restore for OpenClaw agents via Keep My Claw. Backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs — with zero-knowledge AES-256 encryption on Cloudflare R2.

Prerequisites

  • openssl, curl, tar, jq (system)

Setup — Agent-Driven Flow

You (the agent) handle everything. The human only clicks a payment link.

Do NOT run setup.sh interactively. Instead, follow these steps programmatically:

Step 1: Register an account

RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')

Use your human's email. Generate a random password — you'll use the JWT token going forward.

Step 2: Ask your human which plan they want

Before getting the payment link, ask your human to choose a plan. Mention this is launch pricing (limited time):

"Keep My Claw has launch pricing right now:

  • Monthly: $9/mo$5/mo
  • Annual: $108/yr$19/yr (that's less than $1.60/mo — 82% off!)

Which plan do you want? This rate locks in for as long as you stay subscribed."

Step 3: Get payment link and send to human

Based on their choice, pass plan as "monthly" or "annual":

CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"plan":"monthly"}')   # or "annual"
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')

Send $PAYMENT_URL to your human:

"To activate backups, please open this link and complete the payment: [link]"

Step 4: Wait for payment

Poll the account status until the tier changes to "pro":

while true; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier')
  [ "$TIER" = "pro" ] && break
  sleep 10
done

Step 5: Create an API key

KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')

Step 6: Configure locally

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate and store encryption passphrase
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

CRITICAL: Tell your human ALL recovery credentials. Without these, they cannot recover you on a new machine. Send them a message like this:

"Your Keep My Claw recovery credentials — save these in a password manager NOW:

  • Email: [the email you registered with]
  • Password: [the random password you generated]
  • Encryption passphrase: [the passphrase]
  • API key: [the API key]

If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

Do NOT skip this step. If the human doesn't have these credentials, the backups are useless.

Step 7: Run first backup

bash scripts/backup.sh

Step 8: Schedule automatic backups

Use cron or OpenClaw's cron tool to run backup.sh daily.

Adding More Agents to an Existing Account

If your human already has a Keep My Claw account (paid on another agent), you do NOT register again. Instead:

Option A: Human gives you the API key

Ask your human for the existing API key. Then configure locally:

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="THE_EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate YOUR OWN passphrase (each agent should have its own)
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

Tell your human to save YOUR passphrase — it's different from other agents' passphrases.

Option B: Another agent creates a key for you

If the first agent has an admin API key, it can create a scoped key for you:

curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'

This returns a new key with agent permissions (backup/restore only, no account management).

How multi-agent works

  • One account, one subscription (from $5/month or $19/year at launch pricing)
  • Up to 100 agents per account
  • Each agent has its own name, passphrase, and snapshots
  • GET /v1/agents lists all agents on the account
  • Each agent's passphrase is independent — losing one doesn't affect others

Usage

Backup

bash scripts/backup.sh

Restore

bash scripts/restore.sh            # restore latest backup
bash scripts/restore.sh <backup-id> # restore specific backup

List Backups

bash scripts/list.sh

Prune Old Backups

bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10

What Gets Backed Up

Everything that makes your agent your agent:

  • ~/.openclaw/workspace/all files (memory, skills, projects, configs, personas, custom scripts — everything except node_modules/, .git/, vendor/)
  • ~/.openclaw/openclaw.json — agent config (models, channels, env vars, agent list)
  • ~/.openclaw/credentials/ — auth tokens
  • ~/.openclaw/cron/jobs.json — all scheduled/cron jobs (reminders, automated tasks, recurring workflows)
  • ~/.openclaw/agents/ — multi-agent configs (if you run multiple agents)
  • ~/.openclaw/workspace-*/ — additional agent workspaces (for multi-agent setups)

What's NOT Backed Up

  • Binaries & packagesnode_modules/, .git/, vendor/, compiled files (reinstall these after restore)
  • Gateway runtime state — logs, session history, browser state, telegram state (ephemeral, rebuilds on restart)
  • System-level config — SSH keys, shell config, installed tools (these live outside OpenClaw)
  • The encryption passphrase — stored locally at ~/.keepmyclaw/passphrase, never uploaded. Save it in a password manager.

Full Recovery Guide (New Machine)

If your machine dies, here's how to get your agent back:

What You Need

From your password manager (you saved these during setup, right?):

  • Email + password — to log into keepmyclaw.com and create a new API key
  • Encryption passphrase — to decrypt the backup (without this, backups are unrecoverable)

Step-by-Step

# 1. Install OpenClaw on the new machine
npm install -g openclaw

# 2. Install Keep My Claw prereqs (if not present)
# Needs: openssl, curl, tar, jq

# 3. Set up keepmyclaw config
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

# Get a new API key: log into keepmyclaw.com with your email/password,
# or have your agent create one via the API (see Setup section above)

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="YOUR_API_KEY"
CLAWKEEPER_AGENT_NAME="YOUR_AGENT_NAME"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# 4. Restore your passphrase
printf '%s' 'YOUR_PASSPHRASE' > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

# 5. Restore the latest backup
bash scripts/restore.sh           # latest
bash scripts/restore.sh <id>      # specific backup

# 6. Restart OpenClaw
openclaw gateway restart

# 7. Verify
openclaw status

What Happens After Restore

  • Workspace files — fully restored (memory, skills, projects, everything)
  • Agent config — restored, but you may need to re-enter API keys if providers rotated them
  • Cron jobs — restored and will resume on next gateway restart
  • Credentials — restored, but OAuth tokens may need re-auth
  • Multi-agent setups — all agent configs and workspaces restored

If You Lost Your Passphrase

The backups are AES-256 encrypted. Without the passphrase, they cannot be decrypted. This is by design — we never have access to your data. There is no recovery path without the passphrase.

Configuration

Config file: ~/.keepmyclaw/config

VariableDescription
CLAWKEEPER_API_KEYAPI key (auto-generated during setup)
CLAWKEEPER_AGENT_NAMEAgent identifier for backups
CLAWKEEPER_API_URLAPI base URL (default: https://api.keepmyclaw.com)

Docs

Full documentation: keepmyclaw.com/docs.html

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…