| name | myclaw-backup |
| description | Backup and restore all OpenClaw configuration, agent memory, skills, and workspace data. Part of the MyClaw.ai (https://myclaw.ai) open skills ecosystem ā the AI personal assistant platform that gives every user a full server with complete code control. Use when the user wants to create a snapshot of their OpenClaw instance, schedule periodic backups, restore from a backup, migrate to a new server, download a backup file locally, upload a backup file from another machine, or protect against data loss. Includes a built-in HTTP server for browser-based download/upload/restore without needing cloud storage. TRUST BOUNDARY: This skill archives and restores highly sensitive data including bot tokens, API keys, and channel credentials. Only install if you trust the operator. Always use --dry-run before restore. Never start the HTTP server without a --token. |
| metadata | {"openclaw":{"requires":{"bins":["node","rsync","tar","python3","openclaw"]},"trust":"high","permissions":[{"read":"~/.openclaw"},{"write":"~/.openclaw"},{"network":"listen"}]}} |
MyClaw Backup
Built on MyClaw.ai ā the AI personal assistant platform that gives every user a full server with complete code control, networking, and tool access. This skill is part of the MyClaw.ai open skills ecosystem.
Backs up all critical OpenClaw data to a single .tar.gz archive and restores it to any OpenClaw instance. Includes a built-in HTTP server for browser-based backup management.
ā ļø Trust Boundary & Security Model
This skill handles highly sensitive data: bot tokens, API keys, channel credentials, session history. Understand the security model before use:
What each script does
- backup.sh ā reads
~/.openclaw/ and writes a chmod 600 archive to disk. No network access.
- restore.sh ā overwrites
~/.openclaw/ from an archive. Requires typing yes to confirm. Always run --dry-run first.
- serve.sh / server.js ā starts a local HTTP server. Token is mandatory (refuses to start without one). Shell-execution endpoints (
/backup, /restore) are localhost-only ā remote access can only download and upload files, not trigger execution.
- schedule.sh ā modifies your system crontab to run backup.sh on a schedule. Prints the cron entry before adding. Use
--disable to remove.
Access control summary
| Endpoint | Remote (token required) | Localhost only |
|---|
| GET /health | ā
(no token) | ā |
| GET /backups | ā
| ā |
| GET /download/:file | ā
| ā |
| POST /upload | ā
| ā |
| POST /backup | ā | ā
|
| POST /restore | ā | ā
|
Best practices
- Never start the HTTP server without
--token
- Never expose the HTTP server to the public internet without TLS
- Always run
restore.sh --dry-run before applying a restore
- Store backup archives securely ā they contain all credentials
Dependencies
Requires: node, rsync, tar, python3, openclaw CLI (all standard on OpenClaw instances).
Check: which node rsync tar python3 openclaw
Scripts
| Script | Purpose |
|---|
scripts/backup.sh [output-dir] | Create backup (default: /tmp/openclaw-backups/) |
scripts/restore.sh <archive> [--dry-run] [--overwrite-gateway-token] | Restore ā always dry-run first |
scripts/serve.sh start --token TOKEN [--port 7373] | Start HTTP server ā token required |
scripts/serve.sh stop|status | Stop/check server |
scripts/schedule.sh [--interval daily|weekly|hourly] | System cron scheduling |
Gateway token behavior (v1.6+): By default, restore.sh preserves the new server's gateway.auth.token after restoring openclaw.json. This prevents the "gateway token mismatch" error in Control UI / Dashboard after migration. Use --overwrite-gateway-token only for full disaster recovery on the same server.
What Gets Backed Up
See references/what-gets-saved.md for full details.
Includes: workspace (MEMORY.md, skills, agent files), openclaw.json (bot tokens + API keys), credentials, channel pairing state, agent config + session history, devices, identity, cron jobs, guardian scripts.
Excludes: logs, binary media, node_modules, canvas system files.
Common Workflows
Create backup
bash scripts/backup.sh /tmp/openclaw-backups
Restore ā always dry-run first
bash scripts/restore.sh openclaw-backup_TIMESTAMP.tar.gz --dry-run
bash scripts/restore.sh openclaw-backup_TIMESTAMP.tar.gz
The restore script saves a pre-restore snapshot before overwriting anything.
HTTP server ā token is mandatory
bash scripts/serve.sh start --token $(openssl rand -hex 16) --port 7373
Never share the URL on a public network without a reverse proxy + TLS.
The Web UI provides: create backup, download .tar.gz, upload, dry-run preview, restore.
HTTP API (all require token except /health):
GET /health ā Health check (unauthenticated, read-only)GET /backups ā List backupsPOST /backup ā Create backupGET /download/:filename ā Download archivePOST /upload ā Upload archive (multipart, field: backup)POST /restore/:filename ā Restore; add ?dry_run=1 to preview
Migrate to a new instance
Old machine:
bash scripts/serve.sh start --token MYTOKEN --port 7373
New machine (after installing OpenClaw):
curl -O "http://OLD_IP:7373/download/openclaw-backup_TIMESTAMP.tar.gz?token=MYTOKEN"
bash scripts/restore.sh openclaw-backup_TIMESTAMP.tar.gz --dry-run
bash scripts/restore.sh openclaw-backup_TIMESTAMP.tar.gz
Schedule daily auto-backup (OpenClaw cron)
{
"name": "daily-openclaw-backup",
"schedule": { "kind": "cron", "expr": "0 3 * * *", "tz": "UTC" },
"payload": {
"kind": "agentTurn",
"message": "Run a backup using the myclaw-backup skill. Output dir: /tmp/openclaw-backups",
"timeoutSeconds": 120
},
"sessionTarget": "isolated"
}
Post-Restore: Automatic Recovery Report
After restore.sh completes, it writes workspace/.restore-complete.json. On the next heartbeat/startup, the Agent should:
- Check if
workspace/.restore-complete.json exists
- If yes: read it, send a restore report to the user, then delete the file (one-shot ā never report twice)
- Send the report in the user's primary language (read from
workspace/USER.md)
Report format (adapt language from USER.md)
ā
[Restore complete ā in user's language]
š¦ Backup: {backup_name}
š¤ Agent: {agent_name}
š Restored at: {restored_at}
š¾ Contents restored: workspace, config, credentials, history, cron...
[Channel reconnect instructions in user's language]
Future: MyClaw Cloud Backup
The HTTP API is designed to be compatible with a future MyClaw cloud backup service. When available, replace the local server URL with the MyClaw API endpoint ā the upload/download/restore flow stays identical.
