← 返回 Skills 市场

Openclaw Migrate

Name: Openclaw Migrate
Author: chris6970barbarian-hue

作者 Glitch · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

692

总下载

当前安装

版本数

在 OpenClaw 中安装

/install openclaw-migrate

功能描述

Migrate OpenClaw configs, skills, memory, tokens, environment variables, and cron jobs to a new host via SSH with setup, test, and migrate commands.

安全使用建议

This tool will copy your OpenClaw workspace, configuration files, environment variables (including tokens), and cron jobs to the target host and will append exported env vars to remote shell profiles. Before installing/running: - Inspect main.js yourself (it is included) and confirm the exact files/variables it will copy. The SKILL.md description of HA_* variable handling doesn’t match the code. - Backup any secrets and the remote host state. Treat the target host as trusted before transmitting secrets. - Be aware the script constructs shell/ssh/scp commands by interpolating user-supplied values (host, user, key, profile contents) without sanitization — this can be dangerous if those values contain unexpected characters. Use this only in a controlled, trusted network or with a non-privileged test account first. - Consider manually reviewing which environment variables and files you actually want migrated and remove others from your local environment or the sync list before running. - If you need assurance, run the migration in a sandbox or on a disposable VM, or ask the author for a provenance/homepage and clarification about HA_* handling and local config storage.

功能分析

Type: OpenClaw Skill Name: openclaw-migrate Version: 1.0.0 The OpenClaw Migration skill is classified as suspicious due to critical shell injection vulnerabilities in `main.js`. The `sshExec` function, which executes remote commands, is vulnerable to local shell injection via user-provided `user` and `host` parameters, and remote shell injection via the `cmd` parameter. Additionally, the `syncEnvVars` function is vulnerable to remote shell injection when writing environment variables to remote shell profiles (e.g., `.bashrc`), as environment variable values are not properly sanitized, allowing for arbitrary command execution when the profile is sourced. While the skill's stated purpose of migrating OpenClaw involves high-risk operations (SSH, SCP, modifying system files), these specific implementation flaws allow for unauthorized command execution beyond the intended scope, making it a significant security risk.

能力评估

✓ Purpose & Capability

Name/description match the behavior: the code enumerates ~/.openclaw, ~/.config/openclaw, npm global OpenClaw, environment variables, and crontab and copies them to a remote host via SSH/SCP. No unrelated credentials or services are requested.

⚠ Instruction Scope

SKILL.md promises syncing "Any `HA_*` vars", but the implementation only checks a fixed ENV_VARS_TO_SYNC array (explicit names). The skill will read local environment variables and the user's crontab and will copy the entire ~/.openclaw workspace — this is consistent with migration but broad and includes potentially sensitive files. The instructions are explicit about migrating tokens and env vars, but the code's behavior and the documentation are not exactly identical.

✓ Install Mechanism

No external install script or remote download; the skill is provided as code bundled in the package (main.js). There is no installer that pulls arbitrary code from unknown URLs.

⚠ Credentials

The tool reads and will transfer sensitive environment variables (HA_TOKEN, GITHUB_TOKEN, GOOGLE_* keys, etc.) and the user's crontab to the target host. That is proportionate for a full migration tool, but it is high-risk: secrets are written in plaintext into remote shell profiles and a local config.json with target details is stored next to the skill. The SKILL.md claims a broader HA_* scan than the code implements.

✓ Persistence & Privilege

The skill does not request platform-wide privileges or always-on status. It saves a local config.json (target host, user, key path) and modifies remote user's shell profiles and crontab as part of migration — expected for this purpose but scope-affecting on the remote host.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install openclaw-migrate
安装完成后，直接呼叫该 Skill 的名称或使用 /openclaw-migrate 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release – migrate OpenClaw between hosts via SSH in one command. - Provides interactive setup for target host configuration. - Migrates all OpenClaw config, skills, memory, and tokens. - Syncs relevant files, directories, environment variables, and cron jobs. - Supports testing the SSH connection and status checks. - Offers error handling and prompts for missing prerequisites.

元数据

Slug openclaw-migrate

版本 1.0.0

许可证 —

累计安装 3

当前安装数 3

历史版本数 1

常见问题

Openclaw Migrate 是什么？

Migrate OpenClaw configs, skills, memory, tokens, environment variables, and cron jobs to a new host via SSH with setup, test, and migrate commands. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 692 次。

如何安装 Openclaw Migrate？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-migrate」即可一键安装，无需额外配置。

Openclaw Migrate 是免费的吗？

是的，Openclaw Migrate 完全免费（开源免费），可自由下载、安装和使用。

Openclaw Migrate 支持哪些平台？

Openclaw Migrate 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Openclaw Migrate？

由 Glitch（@chris6970barbarian-hue）开发并维护，当前版本 v1.0.0。