Install
openclaw skills install @ifox2046/openclaw-webdav-backupBackup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV upload. Supports full/incremental backup strategies (smart/daily/hourly), backup version management (list/select/delete), and configuration health diagnostics. Use when users want OpenClaw backup, restore, VM migration/disaster recovery, encrypted config backups, WebDAV-based offsite copies, scheduled backups, or backup integrity monitoring. Users must provide their own WebDAV service and credentials.
openclaw skills install @ifox2046/openclaw-webdav-backupLightweight backup/restore skill for OpenClaw.
It covers:
openclaw.jsonIt does not provide WebDAV storage. The user must supply their own WebDAV endpoint and credentials.
Use this skill when the user asks to:
Canonical implementation lives inside the skill:
scripts/openclaw-backup.impl.shscripts/openclaw-restore.impl.shThin wrapper scripts may also exist in the workspace and call these implementations. Keep the skill scripts as the source of truth.
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh
Auto-determines level based on day:
# Smart strategy (recommended for cron)
BACKUP_STRATEGY=smart bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh
# Or explicitly set level
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --level=1
🔴 CHECKPOINT: Confirm with the user before uploading to any remote WebDAV target. This operation sends potentially sensitive data (including encrypted configs) to an external server. Only proceed after explicit user confirmation.
Prepare .env.backup with the user's own WebDAV settings, then run:
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --encrypt-config --upload
Only do real upload after confirming the user wants to write to the remote WebDAV target.
🛑 STOP: Restore will overwrite current workspace files. Before proceeding, confirm with the user:
bash skills/openclaw-webdav-backup/scripts/openclaw-restore.sh --from backups/openclaw/latest --decrypt-config
If any backup, upload, restore, or notification operation fails, follow the table below:
| Trigger Condition | First-Line Fix | If Still Failing (Fallback) |
|---|---|---|
| WebDAV upload fails (curl error) | Retry with --retry 3, verify .env.backup credentials | Fall back to local-only backup, notify user with error details |
Backup integrity check fails (tar -tzf error) | Report specific archive corruption path, do NOT proceed with restore | Suggest manual inspection of the backup directory and logs |
| Encryption fails (openssl unavailable) | Check openssl version and install if missing | Fall back to unencrypted backup with a clear security warning |
| Restore source missing or corrupted | Verify backup path exists with ls -la | List available backups for user to select an alternative |
| Disk space insufficient for backup | Run df -h . and suggest cleanup | Abort with available-space-required message and suggestions |
| Notification send fails (Telegram/WeCom/Feishu) | Check network, verify token/key in .env.backup.notify | Log failure locally and continue; backup itself is not affected |
| Compression tool unavailable (pigz/pzstd) | Auto-fallback to gzip/zstd (single-threaded) | Log warning about degraded performance, proceed with gzip |
The skill supports multiple backup strategies via BACKUP_STRATEGY environment variable:
| Strategy | Description | Level Behavior |
|---|---|---|
full (default) | Always full backup | Level 0 |
weekly | Weekly full backup | Level 0 |
daily | Daily with auto-incremental | Level 0 once, then Level 1 |
smart | Recommended for production | Sunday=Level 0, Mon-Sat=Level 1 |
hourly | Fine-grained incremental | Level 0 → 1 → 2 chain |
# Smart strategy: Sunday full, weekdays incremental
0 0 * * 0 BACKUP_STRATEGY=smart /path/to/openclaw-backup.sh --upload
30 3 * * 1-6 BACKUP_STRATEGY=smart /path/to/openclaw-backup.sh --upload
# Weekly full only
0 3 * * 0 BACKUP_STRATEGY=weekly /path/to/openclaw-backup.sh --upload
# Daily with auto-level detection
0 3 * * * BACKUP_STRATEGY=daily /path/to/openclaw-backup.sh
Override auto-detection with --level flag:
bash openclaw-backup.sh --level=0 # Force full backup
bash openclaw-backup.sh --level=1 # Force incremental (level 1)
The skill supports multiple compression tools with automatic detection of parallel variants:
| Option | Tool | Threads | Notes |
|---|---|---|---|
gzip | gzip | 1 | Standard, widely available |
pigz | pigz | N | Parallel gzip, 3-5x faster |
zstd | zstd | 1 | High compression ratio |
pzstd | pzstd | N | Parallel zstd, fastest option |
By default, the skill auto-detects the best available compressor:
# Prefers pigz > gzip, pzstd > zstd
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh
Force a specific compressor:
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --compress=pigz
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --compress=pzstd
Control the number of compression threads (default: auto-detect CPU cores):
# Use 8 threads explicitly
PARALLEL_JOBS=8 bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh
# Or via CLI
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --jobs=8
Install parallel compression tools for best performance:
# Ubuntu/Debian
sudo apt-get install pigz zstd
# macOS
brew install pigz zstd
# CentOS/RHEL
sudo yum install pigz zstd
The skill supports multiple notification channels for backup success/failure alerts.
| Channel | Status | Configuration |
|---|---|---|
| Telegram | ✅ Ready | Bot token + Chat ID |
| WeCom (企业微信) | ✅ Ready | Webhook key |
| Feishu (飞书) | ✅ Ready | Webhook token |
cp references/env.backup.notify.example .env.backup.notify
.env.backup.notify with your channel settings:BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="telegram"
BACKUP_NOTIFY_TELEGRAM_CHAT_ID="123456789"
BACKUP_NOTIFY_TELEGRAM_BOT_TOKEN="123456:your-bot-token" # Optional, can auto-detect
BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="wecom"
BACKUP_NOTIFY_WECOM_KEY="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
BACKUP_NOTIFY_WECOM_MENTION="13800138000,13900139000" # Optional: mobile numbers
Get webhook key from: Group Settings → Add Robot → Copy Webhook URL key
BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="feishu"
BACKUP_NOTIFY_FEISHU_TOKEN="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
BACKUP_NOTIFY_FEISHU_SECRET="your-secret" # Optional: if signature enabled
Get webhook token from: Group Settings → Add Bot → Copy Webhook URL token
Notifications include:
Do NOT do the following when using or maintaining this skill:
| 🚫 Anti-Pattern | Why | Correct Approach |
|---|---|---|
Commit .env.backup or .env.backup.secret to git | Leaks WebDAV credentials and encryption keys permanently | Add to .gitignore; only share via secure channel |
| Hardcode real credentials in example files | Examples get copied into scripts and committed | Always use placeholder values (your_webdav_url, your_password) |
| Run restore without user confirmation | Overwrites the current workspace irreversibly | Use --dry-run first, then confirm with user |
| Delete old backups without asking | User may need older backups for audit/recovery | List available versions, let user choose which to delete |
Upload unencrypted openclaw.json to remote | Contains API keys, tokens, and secrets | Always use --encrypt-config before --upload |
Run destructive operations without --dry-run | No way to preview what will happen | Always offer dry-run first; restore supports --dry-run flag |
Include real tokens in .env.backup.notify examples | Notification tokens can be misused if leaked | Use placeholder values in docs; store real values separately |
The following operations require explicit user confirmation before proceeding:
| Operation | Checkpoint | Risk Level |
|---|---|---|
| WebDAV upload | Confirm remote target and data sensitivity | 🔴 High |
| Restore from backup | Confirm backup path, destructive nature, current state backup | 🔴 High |
| Encrypted config backup | Confirm encryption password is recoverable | 🟡 Medium |
openclaw.json may contain secrets, tokens, and API keys--encrypt-config before remote upload.env.backup stores WebDAV connection settings and should not be committed.env.backup.secret is optional; it is only a convenience carrier for BACKUP_ENCRYPT_PASS.env.backup.notify is optional and enables backup notifications when configured.env.backup.secret and the password are either/or: either keep the file, or remember/provide the password.env.backup and .env.backup.secretLOCAL_KEEP and REMOTE_KEEPreferences/backup.mdreferences/restore.mdreferences/scheduling.mdreferences/migration-plan.mdreferences/faq.mdreferences/env.backup.example, references/env.backup.secret.example, and references/env.backup.notify.exampleThis skill has been validated against a real OpenClaw setup for:
Run scripts/openclaw-healthcheck.sh to diagnose backup environment:
bash skills/openclaw-webdav-backup/scripts/openclaw-healthcheck.sh
Checks performed:
| Check | Description |
|---|---|
| Base Environment | workspace dir, state dir, openclaw.json, extensions |
| Backup Infrastructure | backup root, snapshot dir, existing backups |
| Dependencies | tar, curl, openssl availability |
| Configuration | .env.backup, .env.backup.secret variables |
| Backup Integrity | Validates all existing tar.gz archives |
Exit codes:
0 - All checks passed1 - One or more critical checks failedEvery backup automatically runs integrity checks:
tar -tzf verifies archive structureFailed integrity checks will abort the backup with error status.
To manually verify a specific backup:
tar -tzf backups/openclaw/2026-04-02-030000/workspace.tar.gz >/dev/null && echo "Valid" || echo "Corrupted"
When restoring, verify the backup before extraction:
# Check integrity first
bash scripts/openclaw-restore.sh --from <backup_dir> --dry-run
# Then perform actual restore
bash scripts/openclaw-restore.sh --from <backup_dir>
Before sharing this skill privately, verify:
.env.backup or .env.backup.secret is includedThis skill intentionally stays lightweight. It supports:
It does not currently provide: