← Back to Skills Marketplace
98
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-memory-transfer
Description
Zero-friction memory migration from other AI assistants (ChatGPT, Claude.ai, Gemini, Copilot, Perplexity, Cursor, Windsurf, etc.) into OpenClaw. Triggers: "m...
Usage Guidance
This skill appears to do what it says (import memories) but has several red flags you should consider before installing:
- The SKILL.md instructs running a Node script (node scripts/parse-chatgpt-export.js) and shell commands (unzip, find, cat, rm) but the skill metadata does not declare Node as a required binary — clarify that requirement and only run the script in a controlled environment.
- The skill's local-auto-scan steps read files under ~/.claude, ~/.cursor and project directories. If you enable those flows, the agent will see potentially sensitive files (credentials, private notes). Only allow scanning if you trust the skill and run it on a machine/environment you control.
- The prompt-guided and ZIP-based flows ask you to paste or upload whole exports; these exports can contain sensitive data. Do not paste API keys, passwords, or other secrets. Inspect the exported content yourself first and redact anything sensitive.
- The included parser uses shell calls (unzip, find, rm -rf via execSync). If you run it locally, run it in an isolated environment (container or VM) and review the script source. Consider running it on a copy of the ZIP rather than the original.
If you want to proceed: (1) verify Node is available, (2) review scripts/parse-chatgpt-export.js line-by-line, (3) do migrations on sanitized/export copies, and (4) avoid enabling automatic local scans unless you understand exactly which paths will be read. If anything is unclear, ask the author to clarify how they detect and redact secrets and why Node isn't listed among required binaries.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-memory-transfer
Version: 1.0.1
The skill bundle is classified as suspicious due to a shell injection vulnerability in `scripts/parse-chatgpt-export.js`, where the `unzip` command is executed using unsanitized file paths provided via command-line arguments. Additionally, `SKILL.md` instructs the agent to perform broad file system scans across the user's home directory (`~`) to locate and read configuration and memory files from other AI tools (e.g., Claude, Cursor, Windsurf). While these actions are consistent with the stated purpose of 'memory migration' and the script includes path-traversal protections for the extraction process, the combination of broad read access and a command injection flaw presents a significant security risk.
Capability Assessment
Purpose & Capability
The skill's goal (migrating memories from other assistants) matches the included parser for ChatGPT export and prompt-guided flows. However, the SKILL.md instructs running a Node script (node scripts/parse-chatgpt-export.js) but the package metadata declares no required binaries — a mismatch. The skill also claims to auto-scan local agents (Claude Code, Cursor, Windsurf) which explains some local file access, but this capability justifies access only to specific app-memory files; the instructions nevertheless read broad paths which is privacy-sensitive.
Instruction Scope
Runtime instructions explicitly tell the agent to: (a) ask the user to upload/paste entire ChatGPT/other-AI exports, (b) run a bundled Node parser that extracts conversation content using unzip/find/rm shell commands, and (c) for local agents, run shell commands that cat and find files under ~/.claude, ~/.cursor, and project directories. These actions can expose large amounts of personal/sensitive data. The SKILL.md's 'never migrate API keys/tokens' promise is a policy statement only — there is no enforcement or automated redaction beyond some limited user.json handling in the parser.
Install Mechanism
There is no install spec (instruction-only), which limits automatic disk writes. The repo includes a Node.js parser (scripts/parse-chatgpt-export.js) and package.json with a bin entry, so a Node runtime is required to run the parser; this requirement is not declared in the skill metadata. No external downloads or remote install URLs are used.
Credentials
The skill requests no credentials in metadata, which is appropriate. But its instructions ask to upload/paste complete exports and to auto-scan local config/memory files — both can surface secrets, tokens, or other sensitive data even if the author says they won't migrate API keys. The parser only skips some auth fields (user.json) and does not appear to comprehensively scrub exported content. Asking users to paste full structured responses from other AIs also risks transferring sensitive content.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated privileges. However, the default ability for the agent to invoke the skill autonomously combined with instructions that scan local files increases blast radius: an autonomously invoked agent using this skill could read local memory/config files. That combination (autonomy + broad local scanning instructions) is a notable risk and should be considered before enabling.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-memory-transfer - After installation, invoke the skill by name or use
/openclaw-memory-transfer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
v1.0.1: Bilingual prompts (EN/ZH), word-boundary tool detection, ZIP path traversal protection, package.json, fixed mixed-language README
v1.0.0
v1.0.0: Initial release — zero-friction memory migration from ChatGPT, Claude, Gemini, Copilot, Perplexity, Cursor, Windsurf into OpenClaw
Metadata
Frequently Asked Questions
What is Openclaw Memory Transfer?
Zero-friction memory migration from other AI assistants (ChatGPT, Claude.ai, Gemini, Copilot, Perplexity, Cursor, Windsurf, etc.) into OpenClaw. Triggers: "m... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.
How do I install Openclaw Memory Transfer?
Run "/install openclaw-memory-transfer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Memory Transfer free?
Yes, Openclaw Memory Transfer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Openclaw Memory Transfer support?
Openclaw Memory Transfer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Memory Transfer?
It is built and maintained by MyClaw.ai (@myclaw-ai); the current version is v1.0.1.
More Skills