EasyClaw Config Migration
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a scoped config migration helper, but its merge script can print gateway authentication tokens in clear text while changing OpenClaw settings.
Use the report and dry-run first. Do not paste raw merge output into chat if it includes gateway.auth.token. Prefer a version that redacts token values, or manually migrate token settings after reviewing the backup.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A gateway token could appear in terminal output, logs, or an agent chat transcript during dry-run or apply, potentially exposing account or gateway access.
The merge mappings include a gateway auth token, and the generic change printer emits old and new values without redaction. A changed token would therefore be printed in clear text.
('gateway.auth.token', 'gateway.auth.token'), ... print(f'- {path}: {old!r} -> {new!r}')Redact secret-like fields in merge output, print only changed paths for token fields, and require explicit user confirmation before migrating authentication tokens.
Applying the migration may change OpenClaw command and gateway behavior until the config is restored or edited.
The script can persistently modify the active OpenClaw configuration when --apply is used. This is disclosed and backup-aware, but it can affect runtime behavior.
parser.add_argument('--apply', action='store_true', help='Write changes to ~/.openclaw/openclaw.json') ... OPENCLAW_CFG.write_text(json.dumps(updated, indent=2, ensure_ascii=False) + '\n')Run the dry run first, review all changed fields carefully, and keep the backup path before applying changes.