ClawHub
Skill flagged — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

Keep My Claw — OpenClaw Backup

Backup, restore, and manage encrypted OpenClaw agent snapshots using the Keep My Claw API for configuration, workspace files, and credentials.

Audits

Suspicious
ClawScanSuspicious

Agentic behavior and permission review.

Static analysisReview

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install keepmyclaw

Keep My Claw — OpenClaw Backup & Restore

Encrypted off-site backup and one-command restore for OpenClaw agents via Keep My Claw. Backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs — with zero-knowledge AES-256 encryption on Cloudflare R2.

Prerequisites

  • openssl, curl, tar, jq (system)

Setup — Agent-Driven Flow

You (the agent) handle everything. The human only clicks a payment link.

Do NOT run setup.sh interactively. Instead, follow these steps programmatically:

Step 1: Register an account

RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')

Use your human's email. Generate a random password — you'll use the JWT token going forward.

Step 2: Ask your human which plan they want

Before getting the payment link, ask your human to choose a plan. Mention this is launch pricing (limited time):

"Keep My Claw has launch pricing right now:

  • Monthly: $9/mo$5/mo
  • Annual: $108/yr$19/yr (that's less than $1.60/mo — 82% off!)

Which plan do you want? This rate locks in for as long as you stay subscribed."

Step 3: Get payment link and send to human

Based on their choice, pass plan as "monthly" or "annual":

CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"plan":"monthly"}')   # or "annual"
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')

Send $PAYMENT_URL to your human:

"To activate backups, please open this link and complete the payment: [link]"

Step 4: Wait for payment

Poll the account status until the tier changes to "pro":

while true; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier')
  [ "$TIER" = "pro" ] && break
  sleep 10
done

Step 5: Create an API key

KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')

Step 6: Configure locally

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate and store encryption passphrase
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

CRITICAL: Tell your human ALL recovery credentials. Without these, they cannot recover you on a new machine. Send them a message like this:

"Your Keep My Claw recovery credentials — save these in a password manager NOW:

  • Email: [the email you registered with]
  • Password: [the random password you generated]
  • Encryption passphrase: [the passphrase]
  • API key: [the API key]

If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

Do NOT skip this step. If the human doesn't have these credentials, the backups are useless.

Step 7: Run first backup

bash scripts/backup.sh

Step 8: Schedule automatic backups

Use cron or OpenClaw's cron tool to run backup.sh daily.

Adding More Agents to an Existing Account

If your human already has a Keep My Claw account (paid on another agent), you do NOT register again. Instead:

Option A: Human gives you the API key

Ask your human for the existing API key. Then configure locally:

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="THE_EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate YOUR OWN passphrase (each agent should have its own)
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

Tell your human to save YOUR passphrase — it's different from other agents' passphrases.

Option B: Another agent creates a key for you

If the first agent has an admin API key, it can create a scoped key for you:

curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'

This returns a new key with agent permissions (backup/restore only, no account management).

How multi-agent works

  • One account, one subscription (from $5/month or $19/year at launch pricing)
  • Up to 100 agents per account
  • Each agent has its own name, passphrase, and snapshots
  • GET /v1/agents lists all agents on the account
  • Each agent's passphrase is independent — losing one doesn't affect others

Usage

Backup

bash scripts/backup.sh

Restore

bash scripts/restore.sh            # restore latest backup
bash scripts/restore.sh <backup-id> # restore specific backup

List Backups

bash scripts/list.sh

Prune Old Backups

bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10

What Gets Backed Up

Everything that makes your agent your agent:

  • ~/.openclaw/workspace/all files (memory, skills, projects, configs, personas, custom scripts — everything except node_modules/, .git/, vendor/)
  • ~/.openclaw/openclaw.json — agent config (models, channels, env vars, agent list)
  • ~/.openclaw/credentials/ — auth tokens
  • ~/.openclaw/cron/jobs.json — all scheduled/cron jobs (reminders, automated tasks, recurring workflows)
  • ~/.openclaw/agents/ — multi-agent configs (if you run multiple agents)
  • ~/.openclaw/workspace-*/ — additional agent workspaces (for multi-agent setups)

What's NOT Backed Up

  • Binaries & packagesnode_modules/, .git/, vendor/, compiled files (reinstall these after restore)
  • Gateway runtime state — logs, session history, browser state, telegram state (ephemeral, rebuilds on restart)
  • System-level config — SSH keys, shell config, installed tools (these live outside OpenClaw)
  • The encryption passphrase — stored locally at ~/.keepmyclaw/passphrase, never uploaded. Save it in a password manager.

Full Recovery Guide (New Machine)

If your machine dies, here's how to get your agent back:

What You Need

From your password manager (you saved these during setup, right?):

  • Email + password — to log into keepmyclaw.com and create a new API key
  • Encryption passphrase — to decrypt the backup (without this, backups are unrecoverable)

Step-by-Step

# 1. Install OpenClaw on the new machine
npm install -g openclaw

# 2. Install Keep My Claw prereqs (if not present)
# Needs: openssl, curl, tar, jq

# 3. Set up keepmyclaw config
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

# Get a new API key: log into keepmyclaw.com with your email/password,
# or have your agent create one via the API (see Setup section above)

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="YOUR_API_KEY"
CLAWKEEPER_AGENT_NAME="YOUR_AGENT_NAME"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# 4. Restore your passphrase
printf '%s' 'YOUR_PASSPHRASE' > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

# 5. Restore the latest backup
bash scripts/restore.sh           # latest
bash scripts/restore.sh <id>      # specific backup

# 6. Restart OpenClaw
openclaw gateway restart

# 7. Verify
openclaw status

What Happens After Restore

  • Workspace files — fully restored (memory, skills, projects, everything)
  • Agent config — restored, but you may need to re-enter API keys if providers rotated them
  • Cron jobs — restored and will resume on next gateway restart
  • Credentials — restored, but OAuth tokens may need re-auth
  • Multi-agent setups — all agent configs and workspaces restored

If You Lost Your Passphrase

The backups are AES-256 encrypted. Without the passphrase, they cannot be decrypted. This is by design — we never have access to your data. There is no recovery path without the passphrase.

Configuration

Config file: ~/.keepmyclaw/config

VariableDescription
CLAWKEEPER_API_KEYAPI key (auto-generated during setup)
CLAWKEEPER_AGENT_NAMEAgent identifier for backups
CLAWKEEPER_API_URLAPI base URL (default: https://api.keepmyclaw.com)

Docs

Full documentation: keepmyclaw.com/docs.html