OpenClaw Migrator
v1.0.0Securely migrate OpenClaw Agent (config, memory, skills) to a new machine.
⭐ 1· 1.6k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (migrate OpenClaw agent config, memory, skills) match the code: createArchive/restoreArchive implement tar packaging and AES-256-GCM encryption, include a manifest, and fix workspace paths on restore. Dependency choices (archiver, tar, fs-extra) are appropriate for the stated task.
Instruction Scope
SKILL.md usage (export/import with a password) aligns with the CLI implemented in src/index.js. The skill will read .openclaw and clawd directories (by default HOME-based paths) and will package whatever is present there — including sensitive files like openclaw.json and tokens, which the README and SKILL.md explicitly mention. Two source files (src/archive.js and src/restore.js) also include small standalone CLI drivers that operate on test-data paths; these are developer/test artifacts and not part of the main index.js CLI but they do require MIGRATOR_PASSWORD when invoked directly.
Install Mechanism
There is no install spec in the registry (instruction-only), but a package.json and source are included. The dependencies are standard npm packages; there are no remote downloads or URL-based installers. README suggests cloning from GitHub, but the registry entry has no homepage — you should obtain a canonical release if you plan to install.
Credentials
The registry metadata declares no required env vars, but the code (and SKILL.md) expects a password via --password or the MIGRATOR_PASSWORD environment variable. Additionally, several files read from the user's HOME (.openclaw, clawd) and the tool will write files to the destination directory; these are expected for migration but are sensitive operations. The discrepancy between declared env requirements (none) and actual code usage (MIGRATOR_PASSWORD) is a mismatch to note.
Persistence & Privilege
The skill does not request permanent platform-wide privileges (always:false). It will read files under user HOME and write extracted files into the chosen destination — expected behavior for a migration tool. Autonomous invocation is allowed by default (platform normal) but there is no evidence the skill attempts to modify other skills or system-wide agent settings.
Assessment
This skill appears to implement what it claims, but review before running: 1) Source metadata lacks a homepage — prefer to install from a known/trusted repository or release tag. 2) The tool will read your HOME/.openclaw and HOME/clawd by default and will include sensitive files (openclaw.json, any tokens) in the encrypted archive — verify what is being packaged or exclude files you don't want migrated. 3) The code uses a password (CLI --password or MIGRATOR_PASSWORD env var) but the registry didn't declare required env vars — be explicit when running (pass a strong password via --password). 4) There are developer/test CLI drivers in archive.js and restore.js that operate on test-data; they require MIGRATOR_PASSWORD and are harmless if not executed, but avoid running unknown scripts directly. 5) Always verify the archive on the target machine before restoring and keep a backup of the current target data. If you want higher assurance, ask the publisher for an official release URL, checksum-signed artifacts, or run the tool in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97ag2gcfqczff99gf1m6bksxs80ckfe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.