Zhuaxia
ReviewAudited by ClawScan on May 10, 2026.
Overview
Zhuaxia is a coherent backup/migration skill, but it handles whole OpenClaw state, so users should review exports and import previews carefully.
This skill appears purpose-aligned for backing up and migrating OpenClaw. Before sharing an exported .claw file, review what it contains and do not rely solely on the 'safe to share' reassurance. Before importing, always use the dry-run preview, check overwritten files and required skills, keep the backup ID, and only import packages from sources you trust.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If redaction were incomplete, a shared .claw package could expose secrets, though the artifacts do not show intentional leakage.
The export process necessarily handles OpenClaw configuration that may contain credentials, and users rely on the skill's redaction before sharing a package.
Sensitive data (API keys, tokens) is automatically stripped.
Inspect exported packages or redaction summaries before sharing, especially from profiles that have API keys or tokens.
Installing a package from someone else could change the agent's behavior or required skills.
The import workflow treats .claw packages as a source of agent state and skill requirements, which is expected for migration but means untrusted packages can change the agent's instruction/tool supply chain.
Required skills that need to be installed
Only import .claw files from trusted sources, always review the dry-run output, and confirm any skill changes before installing.
Including memory can expose private context or carry old instructions into another instance.
The skill can export persistent OpenClaw memory, but the default is off and the guide says to suggest it only when the user explicitly wants to transfer memories.
`--include-memory` | Include MEMORY.md | false
Keep memory export disabled unless you specifically need it, and review memory contents before sharing or importing.
A bad or unwanted import could alter the active OpenClaw setup until rolled back.
Importing can overwrite active workspace files and change the current agent state, but the workflow requires dry-run review, warning, backup, and rollback.
Your current agent personality will be replaced. A backup will be created automatically so you can rollback if needed.
Use the dry-run, read overwrite warnings, save the backup ID, and roll back if the imported state is not what you expected.
Running the command with the wrong path or backup ID could delete saved backups.
The documentation includes a destructive cleanup command. It is scoped to the skill's backup directory and appears user-directed, not automatic.
rm -rf ~/.openclaw/.zhuaxia-backups/<old-id>
Prefer listing backups first and only delete a specific confirmed backup directory.
A user might share a package too readily if they interpret 'safe to share' as meaning all sensitive personal or business content was removed.
The guide encourages a safety reassurance after export. This is aligned with the sharing purpose, but users should remember that non-credential workspace content may still be sensitive.
how many credentials were stripped (reassure them it's safe to share)
Treat credential stripping as helpful but not a substitute for reviewing package contents before sharing.