Session Sync Cloud

v1.0.0

Automatic cloud backup and sync for OpenClaw memory files. Encrypted upload to S3/Backblaze, versioned retention (30 days), cross-device restore. Includes we...

⭐ 0· 12·0 current·0 all-time

by@neroagent

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The skill claims to provide encrypted, versioned backups to S3-compatible storage and to scan the workspace memory/ directory — the code does scan memory/ and uploads files to a user-provided S3 bucket via boto3, which is coherent with the stated purpose. However, the SKILL.md repeatedly claims AES-256 client-side encryption and key-derivation behavior that is not present in the provided run.py; that is a material mismatch between claimed capability and implementation.

Instruction Scope

SKILL.md instructs creating a plaintext session-sync-config.json with access key and secret and (optionally) an encryption key. The code uses that config to read credentials and upload all files under memory/ (no excludes) — sensible for backup but will include any secrets in memory/. Critically, SKILL.md promises end-to-end AES-256 encryption before upload and deriving keys from credentials if unset; the provided run.py does not perform any encryption or use an encryption key. The dashboard HTML references an HTTP restore endpoint ('/restore') that is not implemented in the code. The code will therefore upload plaintext to the configured bucket despite the documentation claiming ciphertext-only storage.

✓

Install Mechanism

No install spec (instruction-only) and a small python script; low install-surface. The script requires boto3 (it checks and errors if missing) and suggests pip installing it. No downloads from arbitrary URLs or archive extraction are present.

ℹ

Credentials

No environment variables are requested; the skill uses a workspace config file that must contain the cloud access key and secret. Requesting cloud credentials in that config is proportional to performing S3 uploads. However, storing credentials in a plaintext file in the workspace is a sensitive design choice (risk of accidental leakage). The SKILL.md's claim that an encryption key can be derived from credentials is insecure and—critically—not implemented in the code.

✓

Persistence & Privilege

The skill is not force-enabled (always: false) and is user-invocable. It does not request persistent, platform-wide privileges in the metadata. It writes artifacts to the workspace (logs, dashboard) which is expected for a backup tool.

What to consider before installing

Do not assume your backups will be end-to-end encrypted — the documentation promises AES-256 client-side encryption but the included Python script does not implement any encryption or use an encryption key. Before installing or pointing this skill at real data: - Ask the author to provide the complete, untruncated source and an explicit implementation of client-side encryption (or remove the encryption claims). Verify the code actually encrypts data before any network call. - Avoid putting real credentials or sensitive data in session-sync-config.json in plaintext until you trust the implementation. Use a bucket and access key with minimal permissions (e.g., a dedicated key limited to PutObject/DeleteObject/ListObjects on a single bucket/prefix). - Test with non-sensitive dummy data first to confirm behavior (uploads, pruning, restore). - Confirm how dashboard restore is intended to work (the HTML references an HTTP endpoint that the script does not provide). - If you need true E2E encryption, insist on peer-reviewed crypto code or use a vetted client-side encryption library (e.g., AWS S3 client-side encryption SDKs) and do not rely on deriving keys from credentials. Given the mismatch between claims and code, treat this skill as suspicious and avoid pointing it at any sensitive workspace until the author fixes and documents the missing encryption and provides the complete working code.

Like a lobster shell, security has layers — review code before you run it.

backupvk971nz0eh156hbzhwbsyrt2f1x841zezcloudvk971nz0eh156hbzhwbsyrt2f1x841zezlatestvk971nz0eh156hbzhwbsyrt2f1x841zezpersistencevk971nz0eh156hbzhwbsyrt2f1x841zezsyncvk971nz0eh156hbzhwbsyrt2f1x841zez

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Session Sync Cloud

Keep your agent's memory safe and synced across devices. Automatic encrypted backups to cloud storage (S3, Backblaze B2, or custom S3-compatible).

Why

You have precious conversation history, WAL entries, working buffer, and PARA notes. Losing them means context amnesia returns.

This skill automates backup:

Every 15 minutes while agent is running
After every /wrap_up
Manual trigger available

Restore is one command away on a new device.

Features

Encrypted upload — AES-256; server never sees plaintext
Versioned retention — Keep last 30 days of backups; prune automatically
Cross-device — Install skill on another machine, run sync_restore to pull latest
Dashboard — Open memory/sync-dashboard.html to see backup history and storage usage
Low bandwidth — Only upload changed files (delta compression)
Resume interrupted — Large files chunked; can resume

Prerequisites

Cloud storage bucket with S3-compatible API (AWS S3, Backblaze B2, MinIO, Wasabi)
Access key + secret
Bucket name

Configuration

Create session-sync-config.json in workspace root:

{
  "provider": "s3", // or "backblaze", "custom"
  "endpoint": "https://s3.amazonaws.com", // override for B2/MinIO
  "bucket": "my-openclaw-backups",
  "key_id": "YOUR_ACCESS_KEY",
  "secret_key": "YOUR_SECRET_KEY",
  "region": "us-east-1", // for S3; B2 uses "us-west-002" etc.
  "path_prefix": "openclaw/nero/", // per-agent prefix
  "interval_minutes": 15,
  "retention_days": 30,
  "encryption_key": "YOUR_32_BYTE_KEY_BASE64" // optional: if unset, uses derived key from credentials
}

Encryption key: Generate with openssl rand -base64 32. Store this safely — you need it to restore.

Usage

Check status

tool("session-sync-cloud", "sync_status")

Force backup now

tool("session-sync-cloud", "sync_now")

Restore from backup

tool("session-sync-cloud", "sync_restore", {"timestamp": "latest"})

Or specific timestamp (from status output or dashboard):

tool("session-sync-cloud", "sync_restore", {"timestamp": "2026-04-01T16:30:00Z"})

How It Works

On trigger (timer or manual), scan memory/ directory
Compute SHA256 of each file; compare with previous manifest
Upload only changed files to cloud (multipart upload for large files)
Save manifest JSON to cloud (lists files, hashes, timestamps)
Prune old manifests beyond retention
Log to memory/sync-log.jsonl

Dashboard

Open memory/sync-dashboard.html in browser. It shows:

Last backup time
Storage used (cloud)
Number of versions retained
Quick restore buttons (click to download latest manifest then restore)

Pricing

$9/month per agent. Includes:

Unlimited backup storage (up to 1GB; beyond that $0.02/GB-month)
Unlimited restores
Dashboard access
Email support

FAQ

Q: Can I use any S3-compatible storage?
A: Yes. S3, Backblaze B2, MinIO, Wasabi, Cloudflare R2.

Q: Is end-to-end encryption mandatory?
A: Yes. All data encrypted before upload. Server only stores ciphertext.

Q: What if I lose the encryption key?
A: Unfortunately, cannot restore. Keep the key safe.

Q: How do I migrate to a new device?
A: Install the skill, configure with same cloud credentials and encryption key, then run sync_restore.

Q: Can I exclude certain files?
A: Not yet. Currently backs up entire memory/. Future version may add excludes.

Inspired by need for persistent-memory-as-a-service. Simple, reliable, affordable.

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…