← Back to Skills Marketplace
692
Downloads
0
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-migrate
Description
Migrate OpenClaw configs, skills, memory, tokens, environment variables, and cron jobs to a new host via SSH with setup, test, and migrate commands.
Usage Guidance
This tool will copy your OpenClaw workspace, configuration files, environment variables (including tokens), and cron jobs to the target host and will append exported env vars to remote shell profiles. Before installing/running:
- Inspect main.js yourself (it is included) and confirm the exact files/variables it will copy. The SKILL.md description of HA_* variable handling doesn’t match the code.
- Backup any secrets and the remote host state. Treat the target host as trusted before transmitting secrets.
- Be aware the script constructs shell/ssh/scp commands by interpolating user-supplied values (host, user, key, profile contents) without sanitization — this can be dangerous if those values contain unexpected characters. Use this only in a controlled, trusted network or with a non-privileged test account first.
- Consider manually reviewing which environment variables and files you actually want migrated and remove others from your local environment or the sync list before running.
- If you need assurance, run the migration in a sandbox or on a disposable VM, or ask the author for a provenance/homepage and clarification about HA_* handling and local config storage.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-migrate
Version: 1.0.0
The OpenClaw Migration skill is classified as suspicious due to critical shell injection vulnerabilities in `main.js`. The `sshExec` function, which executes remote commands, is vulnerable to local shell injection via user-provided `user` and `host` parameters, and remote shell injection via the `cmd` parameter. Additionally, the `syncEnvVars` function is vulnerable to remote shell injection when writing environment variables to remote shell profiles (e.g., `.bashrc`), as environment variable values are not properly sanitized, allowing for arbitrary command execution when the profile is sourced. While the skill's stated purpose of migrating OpenClaw involves high-risk operations (SSH, SCP, modifying system files), these specific implementation flaws allow for unauthorized command execution beyond the intended scope, making it a significant security risk.
Capability Assessment
Purpose & Capability
Name/description match the behavior: the code enumerates ~/.openclaw, ~/.config/openclaw, npm global OpenClaw, environment variables, and crontab and copies them to a remote host via SSH/SCP. No unrelated credentials or services are requested.
Instruction Scope
SKILL.md promises syncing "Any `HA_*` vars", but the implementation only checks a fixed ENV_VARS_TO_SYNC array (explicit names). The skill will read local environment variables and the user's crontab and will copy the entire ~/.openclaw workspace — this is consistent with migration but broad and includes potentially sensitive files. The instructions are explicit about migrating tokens and env vars, but the code's behavior and the documentation are not exactly identical.
Install Mechanism
No external install script or remote download; the skill is provided as code bundled in the package (main.js). There is no installer that pulls arbitrary code from unknown URLs.
Credentials
The tool reads and will transfer sensitive environment variables (HA_TOKEN, GITHUB_TOKEN, GOOGLE_* keys, etc.) and the user's crontab to the target host. That is proportionate for a full migration tool, but it is high-risk: secrets are written in plaintext into remote shell profiles and a local config.json with target details is stored next to the skill. The SKILL.md claims a broader HA_* scan than the code implements.
Persistence & Privilege
The skill does not request platform-wide privileges or always-on status. It saves a local config.json (target host, user, key path) and modifies remote user's shell profiles and crontab as part of migration — expected for this purpose but scope-affecting on the remote host.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-migrate - After installation, invoke the skill by name or use
/openclaw-migrate - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release – migrate OpenClaw between hosts via SSH in one command.
- Provides interactive setup for target host configuration.
- Migrates all OpenClaw config, skills, memory, and tokens.
- Syncs relevant files, directories, environment variables, and cron jobs.
- Supports testing the SSH connection and status checks.
- Offers error handling and prompts for missing prerequisites.
Metadata
Frequently Asked Questions
What is Openclaw Migrate?
Migrate OpenClaw configs, skills, memory, tokens, environment variables, and cron jobs to a new host via SSH with setup, test, and migrate commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 692 downloads so far.
How do I install Openclaw Migrate?
Run "/install openclaw-migrate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Migrate free?
Yes, Openclaw Migrate is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Migrate support?
Openclaw Migrate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Migrate?
It is built and maintained by Glitch (@chris6970barbarian-hue); the current version is v1.0.0.
More Skills