MyOpenClaw Backup Restore

Cross-platform backup and restore for OpenClaw. Works on Windows, macOS, and Linux — backups created on any OS can be restored on any other OS. Use when user...

This package appears to implement the advertised backup/restore functionality, including a local HTTP UI and upload/download endpoints. However: - Metadata mismatches: the package's _meta.json owner/version differ from the registry metadata and SKILL.md declares read/write ~/.openclaw and network listen while the registry shows no config paths — ask the publisher to explain these inconsistencies and confirm the canonical source. - External commands: the scripts call 'openclaw --version' and rely on tar or PowerShell Compress/Expand; ensure your system has these tools and that you trust the openclaw binary in PATH before running. - Sensitive data: backups include bot tokens/API keys/credentials. Only run this on machines you control, and never upload backups to public repos. The HTTP server requires a token, but tokens appear in generated download URLs and the UI HTML — avoid exposing the UI to untrusted networks and prefer localhost-only access. - Exec usage: the server and backup scripts use execSync to run shell commands. That is expected for archive operations but increases risk if you run the server with attacker-controlled BACKUP_DIR or if you expose the server to untrusted clients. Recommendations before installing/running: 1) Verify the author's identity and canonical source (homepage or repo). Resolve owner/version mismatches. 2) Inspect the full scripts locally (you already have them) and run in a sandbox or VM first. 3) Start the HTTP server only with a strong token and bind it to localhost; avoid exposing it publicly or behind untrusted proxies. 4) Back up current ~/.openclaw separately before running any restore. Use --dry-run first. If you want, I can point out any specific lines of code that implement the restore, restart, or server behaviors, or scan for risky shell invocations in the truncated parts of the scripts.

Type: OpenClaw Skill Name: myopenclaw-backup-restore Version: 3.0.2 This skill bundle provides a high-capability backup and restore utility that centralizes all sensitive OpenClaw data, including API keys, bot tokens, and session histories from ~/.openclaw. While the code in scripts/backup-restore.js and scripts/server.js includes security features like token authentication, localhost-only restrictions for destructive actions, and permission hardening (chmod 600), the inherent risk of a tool that packages all system secrets into archives and serves them via a network-accessible HTTP server is significant. The use of execSync for shell operations and the management of credentials via a web UI (ui.html) represent a high-risk profile that, while aligned with the stated purpose, warrants caution and strict access control.