OC Migrator
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Restoring an archive can replace the user's OpenClaw configuration, installed skills, scripts, and workspace state, which could cause data loss or change future agent behavior.
The restore path writes backup contents directly over local OpenClaw configuration and workspace directories, including skills and scripts, without a visible confirmation, rollback backup, or scoped restore guard.
cp "$RESTORE_DIR/config/openclaw.json" "$OC_HOME/openclaw.json" ... cp -R "$RESTORE_DIR/workspace/$dir/"* "$OC_WORKSPACE/$dir/"
Only restore archives you created and trust. Before restoring, make a separate copy of ~/.openclaw, inspect the archive contents where possible, and prefer a version that adds restore confirmation and rollback.
Anyone who obtains an unencrypted backup, or an encrypted backup plus its password, may gain access to services configured in OpenClaw.
The skill explicitly says backups may contain API keys or auth profiles. This is purpose-aligned for migration, but it means the backup archive should be treated like a credential store.
Auth profiles with API keys are included — handle backups securely
Use strong unique encryption passwords, avoid --no-encrypt unless the file stays in a trusted location, and do not share or upload backups casually.
A stale or untrusted backup could seed persistent instructions, memories, or tools that change how the agent behaves later.
The restore process imports persistent memory, knowledge, learnings, scripts, and skills into the active OpenClaw workspace, where they may influence future agent sessions.
for dir in memory knowledge .learnings scripts skills; do ... cp -R "$RESTORE_DIR/workspace/$dir/"* "$OC_WORKSPACE/$dir/"
Restore only from trusted backups, review memory/knowledge/skills after restore, and consider adding integrity checks or a preview mode before applying persistent state.
A user might underestimate the sensitivity of these archives if they treat cloud storage as automatically safe.
The safety wording is broad even though the backup can include API keys and long-term memory, and the skill also supports unencrypted exports.
Encrypted backups safe for cloud storage (S3, Google Drive, etc.)
Treat every backup as sensitive, verify encryption is enabled, use a strong password, and apply normal cloud-storage access controls.