OpenClaw Migrator

Securely migrate OpenClaw Agent (config, memory, skills) to a new machine.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 1 · 1.4k · 3 current installs · 3 all-time installs

by@wenjie2024

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (migrate OpenClaw agent config, memory, skills) match the code: createArchive/restoreArchive implement tar packaging and AES-256-GCM encryption, include a manifest, and fix workspace paths on restore. Dependency choices (archiver, tar, fs-extra) are appropriate for the stated task.

ℹ

Instruction Scope

SKILL.md usage (export/import with a password) aligns with the CLI implemented in src/index.js. The skill will read .openclaw and clawd directories (by default HOME-based paths) and will package whatever is present there — including sensitive files like openclaw.json and tokens, which the README and SKILL.md explicitly mention. Two source files (src/archive.js and src/restore.js) also include small standalone CLI drivers that operate on test-data paths; these are developer/test artifacts and not part of the main index.js CLI but they do require MIGRATOR_PASSWORD when invoked directly.

✓

Install Mechanism

There is no install spec in the registry (instruction-only), but a package.json and source are included. The dependencies are standard npm packages; there are no remote downloads or URL-based installers. README suggests cloning from GitHub, but the registry entry has no homepage — you should obtain a canonical release if you plan to install.

Credentials

The registry metadata declares no required env vars, but the code (and SKILL.md) expects a password via --password or the MIGRATOR_PASSWORD environment variable. Additionally, several files read from the user's HOME (.openclaw, clawd) and the tool will write files to the destination directory; these are expected for migration but are sensitive operations. The discrepancy between declared env requirements (none) and actual code usage (MIGRATOR_PASSWORD) is a mismatch to note.

✓

Persistence & Privilege

The skill does not request permanent platform-wide privileges (always:false). It will read files under user HOME and write extracted files into the chosen destination — expected behavior for a migration tool. Autonomous invocation is allowed by default (platform normal) but there is no evidence the skill attempts to modify other skills or system-wide agent settings.

Assessment

This skill appears to implement what it claims, but review before running: 1) Source metadata lacks a homepage — prefer to install from a known/trusted repository or release tag. 2) The tool will read your HOME/.openclaw and HOME/clawd by default and will include sensitive files (openclaw.json, any tokens) in the encrypted archive — verify what is being packaged or exclude files you don't want migrated. 3) The code uses a password (CLI --password or MIGRATOR_PASSWORD env var) but the registry didn't declare required env vars — be explicit when running (pass a strong password via --password). 4) There are developer/test CLI drivers in archive.js and restore.js that operate on test-data; they require MIGRATOR_PASSWORD and are harmless if not executed, but avoid running unknown scripts directly. 5) Always verify the archive on the target machine before restoring and keep a backup of the current target data. If you want higher assurance, ask the publisher for an official release URL, checksum-signed artifacts, or run the tool in an isolated environment first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97ag2gcfqczff99gf1m6bksxs80ckfe

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Migrator

A utility to package an Agent's state into a portable, encrypted archive (.oca) for migration.

Features

Encrypted Archive: Uses AES-256-GCM + auth tag for confidentiality and integrity.
Path Normalization: Restores workspace path using manifest.json metadata.
Dependency Manifest: Captures system dependencies (Brewfile) to ensure the new environment matches.

Usage

Export (On Old Machine)

migrator export --out my-agent.oca --password "secret"

Import (On New Machine)

migrator import --in my-agent.oca --password "secret"

Security

This skill handles sensitive data (openclaw.json, auth.token). The export process always requires a password to encrypt the archive. Unencrypted exports are disabled by design.

Files

7 total

Select a file

Select a file to preview.

Comments

Loading comments…