clawd-migrate
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real migration helper, but it handles credentials and old agent memory and may automatically run an unpinned global OpenClaw install/onboarding.
Before installing, run discovery first, choose an explicit source and output directory, back up any existing OpenClaw workspace, review migrated memory/instruction files, and avoid automatic OpenClaw setup unless you are comfortable installing the global npm package and running onboarding.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A migration run could install or replace a global package and then run its onboarding process, changing both the user's environment and the migrated workspace.
This shows the intended flow may install the latest global `openclaw` package from npm and run onboarding automatically, without a pinned version or consistently clear approval gate.
- **Reinstalls openclaw** (`npm i -g openclaw`) and runs `openclaw onboard` automatically
Require explicit user approval before setup, prefer a pinned/reviewed OpenClaw version, and consider running the OpenClaw install/onboard steps manually.
Running the setup path can execute OpenClaw's CLI in the selected directory and modify workspace files.
The setup helper executes shell commands. The command strings are fixed and purpose-aligned, but users should understand that running setup executes external CLI code.
subprocess.run("openclaw onboard", cwd=str(target_dir), capture_output=True, text=True, timeout=60, shell=True)Run in a reviewed target directory, avoid unnecessary setup automation, and inspect OpenClaw's onboarding behavior before proceeding.
Secrets may be duplicated into `.config/clawdbook/` and backup folders, increasing the number of places credentials must be protected.
The migration intentionally reads and copies credential/API-key files from the old bot configuration into the OpenClaw layout.
# Clawdbook/Moltbook data: keep separate and safe (credentials, API keys)
Use a trusted output directory, restrict permissions on backups and migrated config files, and do not share the backup or migrated workspace without removing secrets.
Old or poisoned instructions, identity notes, tool notes, or user memories could influence the new agent after migration.
The tool migrates persistent memory and agent-instruction files, including files that may shape future OpenClaw agent behavior.
SOURCE_MEMORY_FILES = ["SOUL.md", "USER.md", "TOOLS.md", "IDENTITY.md", "AGENTS.md", "MEMORY.md"]
Review migrated memory and instruction files before using the new OpenClaw workspace.