Keep My Claw — OpenClaw Backup
WarnAudited by ClawScan on May 10, 2026.
Overview
This backup skill does what it says, but it gives the agent broad credential access and can restore or modify agent files without enough human confirmation.
Install only if you trust Keep My Claw with encrypted off-site snapshots of your OpenClaw workspace and credentials. Prefer a scoped agent API key, verify exactly what files are included, save the encryption passphrase outside the machine, avoid autonomous restores, and review any scheduled backup or restored cron jobs before enabling them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be moved through a paid backup setup and credential-handling workflow before reviewing the exact data scope and privileges.
The default flow minimizes human involvement while creating an account, obtaining a paid checkout link, creating keys, running a first backup, and scheduling future backups.
**You (the agent) handle everything. The human only clicks a payment link.**
Require explicit user confirmation before account creation, payment checkout, first backup, and scheduling; show the data scope before upload.
If the local config or agent is compromised, the attacker may get broader Keep My Claw account authority than needed for backup and restore.
The default setup creates an admin API key for the agent, even though the same documentation later describes an agent-scoped key for backup/restore only.
-d '{"name":"agent","permissions":"admin"}'Default to the least-privileged agent key, and require a separate user-approved admin action only when account management is actually needed.
This is expected for full-agent backup, but it means auth tokens and other credentials are part of the off-site snapshot.
The backup script includes every file under the OpenClaw credentials directory in the encrypted archive and uploads it to the Keep My Claw API.
find credentials -type f ... --data-binary @"$ENC_FILE" ... "/v1/agents/${CLAWKEEPER_AGENT_NAME}/backups"Use this only if you trust the service and encryption model; inspect the file list and consider exclusions for credentials you do not want backed up.
An agent-run restore could overwrite workspace files, credentials, cron jobs, and agent configuration without a fresh human confirmation.
When restore runs without an interactive terminal, it proceeds after the overwrite warning and extracts files into ~/.openclaw.
echo " (Non-interactive mode — proceeding)" ... tar -xzf "$TAR_FILE" -C "$OPENCLAW_DIR"
Require an explicit --yes flag or human approval for restore, create a pre-restore backup, and review restored cron jobs and credentials before restart.
A malicious or malformed value could cause shell commands to run later when backup, restore, list, or prune scripts load the config.
Raw API key, agent name, and URL values are written into a shell config file; the other scripts source that file, so quotes or newlines in those values could become shell syntax.
cat > "$CONFIG_FILE" <<EOF ... CLAWKEEPER_API_KEY="${api_key}" ... CLAWKEEPER_API_URL="${api_url}"Store config as JSON or another non-executable format, or strictly validate and shell-escape every value before writing a sourced file.
Sensitive or poisoned agent state can be preserved and reintroduced on another machine during restore.
The skill intentionally captures and restores persistent agent context, skills, and scheduled jobs.
backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs
Review snapshots before restore where possible, keep the encryption passphrase secure, and consider allowlists or exclusions for sensitive memory, skills, and scheduled tasks.