OpenClaw Migrator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The migrator’s purpose is coherent, but its restore path can write archive contents directly into the user’s home/agent state without clear containment or pre-verified extraction.
Use this only with archives you created yourself and keep both the archive and password private. Before importing, back up your existing ~/.openclaw and workspace, and be aware that restore may overwrite persistent agent configuration, memory, skills, and tokens.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or untrusted archive could write unexpected files under the restore destination, which defaults to a broad user-controlled location in the import command.
The restore code extracts every archive entry into the chosen target directory and logs entries, but does not show a whitelist limiting restores to expected OpenClaw paths such as .openclaw, clawd, or manifest.json.
const extractor = tar.x({
cwd: targetDir,
onentry: (entry) => {
console.log(`Extracting: ${entry.path}`);
}
});Only import archives you created and trust. The skill should add entry validation, path restrictions, overwrite prompts, and a backup/staging restore flow.
If an archive is corrupted or tampered with, restoration may begin writing files before the failure is detected, potentially leaving partial or inconsistent agent state.
The decrypted stream is piped directly into tar extraction while the GCM authentication tag is handled at the end of the stream. Authenticated encryption is only fully verified at finalization, so the code uses decrypted data before the archive has been completely authenticated.
splitter.on('tag', (tag) => {
try {
decipher.setAuthTag(tag);
} catch (e) {
reject(new Error('Invalid auth tag'));
}
});
...
input.pipe(splitter).pipe(decipher).pipe(extractor);Decrypt and verify into a temporary file or staging area first, then extract only after authentication succeeds; also clean up partial restores on failure.
The exported archive may contain API keys, tokens, agent profiles, and private configuration. Anyone with the archive password can restore or inspect that state.
The skill explicitly handles OpenClaw configuration and authentication material, which is expected for migration but sensitive.
This skill handles sensitive data (`openclaw.json`, `auth.token`).
Use a strong unique password, protect the .oca file, avoid sharing it, and rotate tokens if the archive or password may have been exposed.
Restored memories or skills may carry old instructions, sensitive context, or unwanted behavior into the new machine.
The skill intentionally migrates persistent memory and skills, which can influence future agent behavior after restore.
Securely migrate OpenClaw Agent (config, memory, skills) to a new machine.
Review restored memory and installed skills after import, especially if the archive was not created directly by you.
Users must trust the repository and the npm dependency resolution used at install time.
The installation path relies on cloning a repository and installing npm dependencies, while the registry metadata provides no install spec or homepage.
git clone https://github.com/anchor-jevons/openclaw-migrator cd openclaw-migrator npm install npm link
Install from a trusted source, review the repository, and prefer pinned dependencies or a lockfile before using it on sensitive agent state.