← Back to Skills Marketplace
Cloud Backup
by
Evgeni Obuchowski
· GitHub ↗
· v1.1.5
1579
Downloads
4
Stars
13
Active Installs
7
Versions
Install in OpenClaw
/install cloud-backup
Description
Back up and restore OpenClaw state. Creates local archives and uploads to S3-compatible cloud storage (AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOce...
README (SKILL.md)
OpenClaw Cloud Backup
Backs up OpenClaw state to a local archive and uploads it to cloud storage.
Follow the steps below. Inform the user about implicit defaults applied after execution.
Backup procedure (follow every step)
Step 1: Run the backup
bash "{baseDir}/scripts/cloud-backup.sh" backup full
Default mode is full. Use workspace, skills, or settings only when the user explicitly asks for a narrower backup scope.
Step 2: Check backup output for encryption warning
Look at the script output from Step 1. If it contains:
WARN: Encryption is disabled — backup archive will be stored in plaintext.
ask the user:
"Your backups are not encrypted. Archives contain config, credentials, and API keys in cleartext. Want to set a passphrase? (AES-256, just the passphrase needed to restore — no key files.)"
- If user provides a passphrase → write both via
gateway config.patchand tell the user what was saved:skills.entries.cloud-backup.config.encrypt = trueskills.entries.cloud-backup.env.GPG_PASSPHRASE = "\x3Cpassphrase>"Then re-run the backup so the archive is encrypted.
- If user says no / skip → continue to Step 3.
- If the warning is not present (encryption already enabled) → continue to Step 3.
Always execute this step and report the result. Backups may contain secrets — prompt every time encryption is off.
Step 3: Check script output for warnings
Look at the script output. If it contains WARN: Cloud storage is not configured, go to Step 4. Otherwise go to Step 5.
Step 4: Cloud not configured — ask user to set it up
Tell the user the backup was saved locally, then ask:
"Cloud storage isn't configured yet — backups are local only. Want to set up cloud upload? I support AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or any other S3-compatible service."
- If user says yes → go to Cloud setup section below, then re-run the backup.
- If user says no / local-only → set
config.upload=falseviagateway config.patchand confirm the change to the user. Done.
Always execute this step — offer cloud setup when it's missing and report what was configured.
Step 5: Report result and ensure scheduling
Report the backup paths from the script output to the user.
Then check if a daily cron job already exists for cloud-backup (cron action=list). If no cron job exists, create one with the default schedule and tell the user:
{
"schedule": { "kind": "cron", "expr": "0 2 * * *" },
"payload": { "kind": "agentTurn", "message": "Run cloud-backup: backup full" },
"sessionTarget": "isolated"
}
Default: daily at 2 AM. Use a different schedule if it was explicitly asked for one.
Tell the user: "Scheduled daily backup at 2 AM." (or whatever time was set).
This step should be executed by default unless user asked not to do it. Report about the result — cron job created or failed to be created.
Cloud setup
When the user agrees to configure cloud storage:
- Ask which provider: AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or other.
- Read the matching provider guide from
references/providers/— it has exact config keys, endpoint format, and credential steps. - Collect and write config via
gateway config.patch— bucket, credentials, endpoint (if non-AWS). - Run
statusto verify connectivity, then re-run backup.
Commands
bash "{baseDir}/scripts/cloud-backup.sh" \x3Ccommand>
| Command | What it does |
|---|---|
backup [full|workspace|skills|settings] |
Create archive + upload if configured. Default: full |
list |
Show local + remote backups |
restore \x3Cname> [--dry-run] [--yes] |
Restore from local or cloud. Always --dry-run first |
cleanup |
Prune old archives (local: capped at 7; cloud: count + age) |
status |
Show current config and dependency check |
Config reference
All in skills.entries.cloud-backup in OpenClaw config. Don't write defaults — the script handles them.
config.*
| Key | Default | Description |
|---|---|---|
bucket |
— | Storage bucket name (required for cloud) |
region |
us-east-1 |
Region hint |
endpoint |
(none) | S3-compatible endpoint (required for non-AWS) |
profile |
(none) | Named AWS CLI profile (alternative to keys) |
upload |
true |
Upload to cloud after backup |
encrypt |
false |
GPG-encrypt archives |
retentionCount |
10 |
Cloud: keep N backups. Local: capped at 7 |
retentionDays |
30 |
Cloud only: delete archives older than N days |
env.*
| Key | Description |
|---|---|
ACCESS_KEY_ID |
S3-compatible access key |
SECRET_ACCESS_KEY |
S3-compatible secret key |
SESSION_TOKEN |
Optional temporary token |
GPG_PASSPHRASE |
For automated encryption/decryption |
Provider guides
Read the relevant one only during setup:
references/providers/aws-s3.mdreferences/providers/cloudflare-r2.mdreferences/providers/backblaze-b2.mdreferences/providers/minio.mdreferences/providers/digitalocean-spaces.mdreferences/providers/other.md— any S3-compatible service
Security
See references/security.md for credential handling and troubleshooting.
Usage Guidance
What to consider before installing:
- Functionality: This skill tars your OpenClaw state (~/.openclaw), so archives will include configuration, credentials, and any secrets stored there. That is the intended behavior for a backup tool.
- Credentials: The skill expects S3-compatible credentials (ACCESS_KEY_ID / SECRET_ACCESS_KEY) or a named AWS profile. The recommended flow is to create a bucket-scoped, least-privilege key pair. Prefer a named profile or short-lived credentials where possible instead of storing long-lived secrets in config.
- GPG passphrase: If you enable encryption, the SKILL.md suggests storing the GPG passphrase in the skill's config (env.GPG_PASSPHRASE) for non-interactive restores/cron. Storing passphrases in OpenClaw config is convenient but means the passphrase itself must be protected; consider using a secret manager or requiring interactive entry if you need stronger protection.
- Scheduling/autonomy: The skill can create a cron job that triggers the agent to run backups automatically. Allow this only if you trust the agent and the scheduling action; review the schedule and cron payload before accepting.
- Inspect the script: The full bash script is included in the package; review it if you want to verify details (files excluded, encryption flow, where files are written, exact S3 commands). It uses aws CLI (aws s3 cp/ls/rm), gpg for encryption, and standard tar/sha utilities.
- Protect the OpenClaw config: Ensure ~/.openclaw/openclaw.json is filesystem-permission restricted (the references/security.md already recommends 600). Rotate keys if they are ever exposed.
If those trade-offs are acceptable (i.e., you want automated backups of OpenClaw state and are prepared to manage credentials and encryption appropriately), the skill is coherent and reasonable to use.
Capability Analysis
Type: OpenClaw Skill
Name: cloud-backup
Version: 1.1.5
The OpenClaw Cloud Backup skill is designed to perform backups and restores of the OpenClaw state, including sensitive configuration and credentials, to local storage and S3-compatible cloud services. While it handles highly sensitive data, creates persistence via cron jobs, and has broad file/network access, these capabilities are directly aligned with its stated purpose. The `SKILL.md` instructions guide the agent to configure itself and handle credentials, which is expected for such a skill. The `scripts/cloud-backup.sh` script includes security measures like path traversal checks (`tar_safe`), checksum verification, and careful argument handling for `aws` and `gpg` commands. There is no evidence of intentional harmful behavior, data exfiltration to unauthorized endpoints, or malicious prompt injection attempts beyond the skill's legitimate functionality.
Capability Assessment
Purpose & Capability
Name/description match the implementation. Required binaries (bash, tar, jq, aws) and the included script are appropriate for creating compressed archives, optionally encrypting them with GPG, and uploading via AWS-compatible CLI. The skill only operates on the OpenClaw state directory (OPENCLAW_STATE / ~/.openclaw) and its own config entries.
Instruction Scope
SKILL.md limits runtime actions to: run the included script, prompt the user about encryption, collect cloud provider credentials, write config entries for this skill via gateway config.patch, and optionally create a scheduled cron job. The instructions do not ask to read unrelated system files or exfiltrate data to unexpected endpoints beyond the configured S3-compatible providers.
Install Mechanism
There is no install spec (instruction-only style), and the only code shipped is the bash script. The script is executed directly from the skill bundle (no external downloads or arbitrary installers), which is the lower-risk pattern for this kind of utility.
Credentials
The skill needs access to S3-compatible credentials and an optional GPG passphrase to function. These are requested via OpenClaw config entries (skills.entries.cloud-backup.env.*) or via named AWS profile. This is expected, but worth noting: storing ACCESS_KEY_ID / SECRET_ACCESS_KEY and GPG_PASSPHRASE in the OpenClaw config means secrets may be persisted in plain text unless the environment/host protects that file. The SKILL.md explicitly warns backups contain secrets and prompts the user to enable encryption—this is appropriate but the storage of the passphrase in config is a sensitive choice the user should consider.
Persistence & Privilege
The skill may create a scheduled cron job that triggers an agentTurn payload (i.e., autonomous invocations). This is coherent with the backup use-case (scheduling regular backups) and the SKILL.md says to ask the user before scheduling, but users should be aware that the cron payload will cause the agent to run the skill autonomously at the specified times.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cloud-backup - After installation, invoke the skill by name or use
/cloud-backup - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.5
- Updated documentation for Backblaze B2 in `references/providers/backblaze-b2.md`.
- No functional or behavioral changes to the skill logic.
v1.1.4
- Removed redundant README.md file for improved maintainability.
- Updated Backblaze B2 provider documentation.
- Made minor adjustments to backup script and provider references.
v1.0.1
- Removed top-level README.md file.
- Updated Backblaze B2 provider reference (references/providers/backblaze-b2.md).
- Modified backup script (scripts/cloud-backup.sh).
v1.1.3
- Improved clarity of user prompts and required confirmations throughout backup and cloud setup steps.
- Now always informs the user about implicit defaults and config changes after each action.
- Prompts and action reporting for encryption and cloud storage are now always performed when needed.
- Ensures creation of a daily cron job is reported to the user, including when the schedule is changed or setup fails.
- Expanded provider support wording in both description and prompts to include any S3-compatible service.
v1.1.2
cloud-backup 1.1.2
- unblock VirusTotal
v1.1.1
- Clarified and reinforced step-by-step reporting: now explicitly instructs to inform users about implicit defaults and changes after execution.
- Enforced explicit user notification after any config change (encryption, upload, cron scheduling).
- Expanded cloud provider support messaging to include "any other S3-compatible service" for broader compatibility.
- Updated procedures to always follow (no steps skipped by default) and to report outcomes, including failure or configuration status.
- README.md file removed; documentation is now consolidated within SKILL.md.
v1.1.0
- Added detailed procedures for backup, encryption prompts, and cloud storage setup.
- Now supports backup to multiple S3-compatible providers: AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces.
- Automatically prompts to enable encryption if backups are not encrypted.
- Prompts user to configure cloud storage if not already set, with step-by-step provider-specific guidance.
- Ensures every backup is scheduled via a cron job; creates a daily 2 AM schedule if missing.
- Provides new config and command reference sections for clarity.
Metadata
Frequently Asked Questions
What is Cloud Backup?
Back up and restore OpenClaw state. Creates local archives and uploads to S3-compatible cloud storage (AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOce... It is an AI Agent Skill for Claude Code / OpenClaw, with 1579 downloads so far.
How do I install Cloud Backup?
Run "/install cloud-backup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Cloud Backup free?
Yes, Cloud Backup is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Cloud Backup support?
Cloud Backup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Cloud Backup?
It is built and maintained by Evgeni Obuchowski (@obuchowski); the current version is v1.1.5.
More Skills