Soul Transfer

Backup and restore an OpenClaw agent's full workspace (memory, config, credentials, skills, cron jobs) to/from a Git repository. Use when: migrating to a new...

This skill is coherent for migrating an agent, but it explicitly exports live channel tokens and API keys and tells you to commit them to a Git repo and (optionally) automate pushes. Before using it, consider the following: - Treat the config backup JSON as extremely sensitive. Do NOT store it in plaintext in a remote Git repo unless you fully control and trust the repo (prefer a private repo only accessible to a minimal set of accounts). - Prefer encrypting the config backup (GPG, SOPS, age, or similar) before committing, and store decryption keys separately and securely. - Avoid embedding authentication tokens in remote URLs (https://<token>@...). That leaks tokens in process lists, shell histories, and some logs. Use an authenticated Git remote configured in a secure way (credential helper, deploy key, or ephemeral CI token) instead. - If you must push secrets, rotate credentials after a transfer is complete and verify no tokens ended up in public history (run git log --grep, filter-branch/BFG if needed). - Review and restrict cron templates: automated backups should be limited in frequency and target only trusted remotes; ensure any automated agentTurn payloads cannot exfiltrate more than intended. - Confirm the presence and permissions of gateway/openclaw tooling used by the scripts; restoring config via config.patch will reconnect channels and may enable message delivery immediately — verify environment and safety policies before patching. - If you want a safer workflow, remove secrets from the repo and transfer them via an out-of-band encrypted channel, or store secrets in a dedicated secret manager rather than in git. Given these issues, treat this skill as "suspicious" until you apply appropriate operational safeguards (encryption, access controls, token rotation) and confirm the backup repo/workflow meets your security requirements.

Type: OpenClaw Skill Name: soul-transfer Version: 1.1.0 The 'soul-transfer' skill provides a mechanism for full agent migration by backing up the entire workspace and configuration—including sensitive API keys and bot tokens—to a Git repository. It explicitly instructs the agent in SKILL.md to store unredacted credentials in 'openclaw-config-backup.json' and to use Git URLs containing authentication tokens. While intended for backup and disaster recovery, the implementation facilitates the exfiltration of the agent's entire 'soul' (identity and secrets) to external servers, and the provided cron templates in 'references/cron-templates.md' establish automated persistence for this high-risk data transfer.