Migrator
WarnAudited by ClawScan on May 10, 2026.
Overview
Migrator mostly matches its stated migration purpose, but its restore flow can write broad files into your home directory and applies decrypted archive contents before tight validation.
Use this only with archives you created and trust. Before importing, back up your existing ~/.openclaw and workspace, restore to a temporary directory if possible, inspect the contents, and avoid putting real passwords directly in shell commands.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted but decryptable .oca archive could place or overwrite unrelated files under the restore destination; with the normal home-directory restore workflow this could affect more than OpenClaw state.
The restore filter blocks only absolute paths and '..' traversal, then accepts all other relative archive entries. It does not allow-list expected OpenClaw paths such as .openclaw, clawd, .clawdbot, or manifest.json, and it does not prevent overwriting existing files.
const extractor = tar.x({
cwd: targetDir,
filter: (path) => {
...
if (normalizedPath.startsWith('/') || normalizedPath.includes('..')) {
...
return false;
}
return true;
},Restore into a temporary staging directory first, validate a signed or trusted manifest, allow-list only expected OpenClaw paths, and prompt or back up before overwriting files.
If an archive is corrupted or tampered with, extraction may already have modified files before decryption ultimately fails, leaving partial or corrupted state behind.
AES-GCM authentication is only checked at the end of decryption, but plaintext is streamed directly into the tar extractor before that final integrity check succeeds.
splitter.on('tag', (tag) => {
try {
decipher.setAuthTag(tag);
} catch (e) {
reject(new Error('Invalid auth tag'));
}
});
...
input.pipe(splitter).pipe(decipher).pipe(extractor);Decrypt and authenticate to a temporary file or buffer first, then extract only after authentication succeeds; clean up staged files on any failure.
A user following the example with a real password could accidentally expose the password protecting their migrated tokens and memory.
The security-sensitive archive password is shown as a command-line argument for an archive that contains tokens. Command-line secrets can be exposed through shell history, process listings, logs, or copied transcripts.
migrator export --out my-agent.oca --password "secret" ... This skill handles sensitive data (`openclaw.json`, `auth.token`).
Avoid putting real passwords on the command line; add an interactive hidden prompt or safer secret input, and update the docs to warn users.
Anyone who obtains both the archive and its password may be able to recover OpenClaw tokens or provider credentials from the migrated state.
The skill explicitly includes local OpenClaw configuration and auth material in the migration archive. This is expected for migration, but it carries delegated account/session authority.
This skill handles sensitive data (`openclaw.json`, `auth.token`).
Use a strong unique password, transfer archives only through trusted channels, delete old archives when finished, and rotate tokens if an archive is lost.
Restored memory or skills may carry forward private context, stale instructions, or poisoned behavior into future OpenClaw sessions.
The skill is designed to move persistent memory and skills to another machine. That is purpose-aligned, but those files can contain private information or instructions that influence future agent behavior.
description: Securely migrate OpenClaw Agent (config, memory, skills) to a new machine.
Import only archives you created or fully trust, review restored memory and skills after migration, and keep a backup of the destination state before import.