← 返回 Skills 市场
myclaw-ai

Openclaw Memory Transfer

作者 MyClaw.ai · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
98
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install openclaw-memory-transfer
功能描述
Zero-friction memory migration from other AI assistants (ChatGPT, Claude.ai, Gemini, Copilot, Perplexity, Cursor, Windsurf, etc.) into OpenClaw. Triggers: "m...
安全使用建议
This skill appears to do what it says (import memories) but has several red flags you should consider before installing: - The SKILL.md instructs running a Node script (node scripts/parse-chatgpt-export.js) and shell commands (unzip, find, cat, rm) but the skill metadata does not declare Node as a required binary — clarify that requirement and only run the script in a controlled environment. - The skill's local-auto-scan steps read files under ~/.claude, ~/.cursor and project directories. If you enable those flows, the agent will see potentially sensitive files (credentials, private notes). Only allow scanning if you trust the skill and run it on a machine/environment you control. - The prompt-guided and ZIP-based flows ask you to paste or upload whole exports; these exports can contain sensitive data. Do not paste API keys, passwords, or other secrets. Inspect the exported content yourself first and redact anything sensitive. - The included parser uses shell calls (unzip, find, rm -rf via execSync). If you run it locally, run it in an isolated environment (container or VM) and review the script source. Consider running it on a copy of the ZIP rather than the original. If you want to proceed: (1) verify Node is available, (2) review scripts/parse-chatgpt-export.js line-by-line, (3) do migrations on sanitized/export copies, and (4) avoid enabling automatic local scans unless you understand exactly which paths will be read. If anything is unclear, ask the author to clarify how they detect and redact secrets and why Node isn't listed among required binaries.
功能分析
Type: OpenClaw Skill Name: openclaw-memory-transfer Version: 1.0.1 The skill bundle is classified as suspicious due to a shell injection vulnerability in `scripts/parse-chatgpt-export.js`, where the `unzip` command is executed using unsanitized file paths provided via command-line arguments. Additionally, `SKILL.md` instructs the agent to perform broad file system scans across the user's home directory (`~`) to locate and read configuration and memory files from other AI tools (e.g., Claude, Cursor, Windsurf). While these actions are consistent with the stated purpose of 'memory migration' and the script includes path-traversal protections for the extraction process, the combination of broad read access and a command injection flaw presents a significant security risk.
能力评估
Purpose & Capability
The skill's goal (migrating memories from other assistants) matches the included parser for ChatGPT export and prompt-guided flows. However, the SKILL.md instructs running a Node script (node scripts/parse-chatgpt-export.js) but the package metadata declares no required binaries — a mismatch. The skill also claims to auto-scan local agents (Claude Code, Cursor, Windsurf) which explains some local file access, but this capability justifies access only to specific app-memory files; the instructions nevertheless read broad paths which is privacy-sensitive.
Instruction Scope
Runtime instructions explicitly tell the agent to: (a) ask the user to upload/paste entire ChatGPT/other-AI exports, (b) run a bundled Node parser that extracts conversation content using unzip/find/rm shell commands, and (c) for local agents, run shell commands that cat and find files under ~/.claude, ~/.cursor, and project directories. These actions can expose large amounts of personal/sensitive data. The SKILL.md's 'never migrate API keys/tokens' promise is a policy statement only — there is no enforcement or automated redaction beyond some limited user.json handling in the parser.
Install Mechanism
There is no install spec (instruction-only), which limits automatic disk writes. The repo includes a Node.js parser (scripts/parse-chatgpt-export.js) and package.json with a bin entry, so a Node runtime is required to run the parser; this requirement is not declared in the skill metadata. No external downloads or remote install URLs are used.
Credentials
The skill requests no credentials in metadata, which is appropriate. But its instructions ask to upload/paste complete exports and to auto-scan local config/memory files — both can surface secrets, tokens, or other sensitive data even if the author says they won't migrate API keys. The parser only skips some auth fields (user.json) and does not appear to comprehensively scrub exported content. Asking users to paste full structured responses from other AIs also risks transferring sensitive content.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevated privileges. However, the default ability for the agent to invoke the skill autonomously combined with instructions that scan local files increases blast radius: an autonomously invoked agent using this skill could read local memory/config files. That combination (autonomy + broad local scanning instructions) is a notable risk and should be considered before enabling.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-memory-transfer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-memory-transfer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
v1.0.1: Bilingual prompts (EN/ZH), word-boundary tool detection, ZIP path traversal protection, package.json, fixed mixed-language README
v1.0.0
v1.0.0: Initial release — zero-friction memory migration from ChatGPT, Claude, Gemini, Copilot, Perplexity, Cursor, Windsurf into OpenClaw
元数据
Slug openclaw-memory-transfer
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Openclaw Memory Transfer 是什么?

Zero-friction memory migration from other AI assistants (ChatGPT, Claude.ai, Gemini, Copilot, Perplexity, Cursor, Windsurf, etc.) into OpenClaw. Triggers: "m... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 98 次。

如何安装 Openclaw Memory Transfer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-memory-transfer」即可一键安装,无需额外配置。

Openclaw Memory Transfer 是免费的吗?

是的,Openclaw Memory Transfer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Openclaw Memory Transfer 支持哪些平台?

Openclaw Memory Transfer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Openclaw Memory Transfer?

由 MyClaw.ai(@myclaw-ai)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论