Menu
Migrate from OpenClaw to NanoClaw v2. Detects an existing OpenClaw installation, extracts identity, channel credentials, scheduled tasks, and other config, then guides interactive migration. Triggers on "migrate from openclaw", "openclaw migration", "import from openclaw".
| name | migrate-from-openclaw |
| description | Migrate from OpenClaw to NanoClaw v2. Detects an existing OpenClaw installation, extracts identity, channel credentials, scheduled tasks, and other config, then guides interactive migration. Triggers on "migrate from openclaw", "openclaw migration", "import from openclaw". |
Guide the user through migrating their OpenClaw installation into NanoClaw v2. This is a conversation, not a batch job. Read OpenClaw state, discuss it with the user, decide together what to bring over and where it belongs in v2's entity model, and show proposed changes before applying.
Principle: Never silently copy data. Read it, explain it, place it, then
apply. Credentials are masked when displayed (first 4 + ... + last 4). Make
judgment calls about what's core vs. reference material.
UX: Use AskUserQuestion for multiple-choice only. Use plain text for
free-form input. Don't dump raw data — summarize and explain conversationally.
This skill drives existing NanoClaw entry points (setup/index.ts --step register, scripts/init-first-agent.ts, the onecli CLI) and copies a few
files in (workspace markdown, OpenClaw skills, and its own transform module +
test). It makes no code-level reach-in into core. Its integration assumptions
about v2 are guarded by scripts/transform.test.ts, which is copied into the
project's scripts/ test tree on apply (Phase 8) so vitest runs it against the
composed install. REMOVE.md reverses every file the skill copies.
OpenClaw and NanoClaw v2 differ structurally. Keep these in mind throughout:
data/v2.db) holds users,
user_roles, agent_groups, messaging_groups, and the
messaging_group_agents wiring between them. There is no store/messages.db
and no scheduled_tasks table.groups/global/. Shared
instructions live in container/CLAUDE.md (mounted read-only into every
container). Per-group memory is groups/<folder>/CLAUDE.local.md; the
CLAUDE.md in each group is composed at spawn — do not edit it..env; the NanoClaw host process reads them to connect to the platform.unknown_sender_policy plus
user_roles (owner/admin) and agent_group_members — not a JSON allowlist
file.messages_in row (kind='task') in a
session's inbound.db, carrying a cron recurrence and a process_after
timestamp. The agent creates them via its schedule_task MCP tool.Create migration-state.md in the project root at the start of Phase 0. Update
it after each phase. It's the single source of truth — if context is lost,
re-read it to recover decisions and progress. Re-read it before starting any
phase.
Sections to maintain:
Keep it factual and terse. Delete it at the end of Phase 8 (or offer to keep it as a record).
Run the discovery script to find and summarize the OpenClaw installation:
pnpm exec tsx ${CLAUDE_SKILL_DIR}/scripts/discover-openclaw.ts
If the user specifies a custom path, pass --state-dir <path>.
Parse the status block. Key fields: STATUS, STATE_DIR, CHANNELS,
WORKSPACE_FILES, DAILY_MEMORY_FILES, SKILL_COUNT, SKILLS, CRON_JOBS,
MCP_SERVERS, IDENTITY_NAME, AGENT_COUNT, AGENT_IDS, GROUPS (each formatted
channel:id(name)=>v2_platform_id — the right-hand value is what to pass as
--platform-id to register).
Sanity-check the output. The script detects known structures but can miss
data if OpenClaw's format changed. Check CONFIG_TOP_KEYS and
CONFIG_CHANNEL_KEYS — if you see keys it didn't report on, read that section
of the config with the Read tool. Check STATE_DIR_CONTENTS for directories it
doesn't scan.
If STATUS=not_found: Tell the user no OpenClaw install was detected at the
standard locations (~/.openclaw, ~/.clawdbot). Ask for a custom path; if
none, exit.
If STATUS=found: Present a human-readable summary (identity name, workspace files, channels and which v2 supports, daily memory count, skills, cron count, MCP servers, agent count). Then paraphrase the key architectural differences from the section above — don't dump it as a table.
AskUserQuestion: "Ready to start migrating? I'll go through each area one at a time."
Decide this before identity/memory — it determines where files go.
OpenClaw model: all groups routed to one agent share a workspace (SOUL/MEMORY/IDENTITY) and personality; only the session is per-group.
v2 model: each agent group is a separate container with its own filesystem,
memory, and CLAUDE.local.md. Shared instructions are placed in
container/CLAUDE.md (read-only in every container). There is no
groups/global/.
AskUserQuestion: "In OpenClaw your groups shared one personality and memory. In v2 each agent group is separate. How do you want to handle this?"
container/CLAUDE.md (every container sees it); each group adds its
own CLAUDE.local.md on top.Remember this choice for Phase 3.
IDENTITY_NAME from discovery is the OpenClaw name. Ask: "Your OpenClaw
assistant was named <IDENTITY_NAME>. Keep it in v2?" If empty, ask them to
choose (default: "Andy"). The chosen name is passed as --assistant-name to
register/init.
The owner identity and the primary agent are created together by
scripts/init-first-agent.ts. It upserts the user, grants the owner role,
creates the agent group + filesystem, wires a DM messaging group, and queues a
welcome DM over the running service's CLI socket — so the service must be
running. If it isn't, tell the user to start it first.
Resolve the owner's channel identity and the DM platform id (use the channel's own terminology). Then:
pnpm exec tsx scripts/init-first-agent.ts \
--channel <channel> \
--user-id <channel>:<handle> \
--platform-id <channel>:<dm-id> \
--display-name "<Owner Name>" \
--agent-name "<confirmed assistant name>" \
[--role owner] # default: owner
For direct-addressable channels (telegram, whatsapp) the --platform-id is
usually the same handle as --user-id with the channel prefix. --role
defaults to owner (global, cross-channel) — use admin (scoped to the agent
group) or member only if intended.
For each additional OpenClaw group the user wants to bring over, register a messaging group and wire it to an agent group:
pnpm exec tsx setup/index.ts --step register -- \
--platform-id "<v2_platform_id from discovery>" \
--name "<group name>" \
--folder "<channel>_<name-slug>" \
--channel "<channel>" \
--session-mode "<shared|agent-shared|per-thread>" \
[--trigger "@<assistant name>"] \
[--no-trigger-required] \
--assistant-name "<assistant name>"
Notes:
register namespaces the --platform-id the same way the adapter will at
runtime, so pass the => value discovery emitted (or the raw OpenClaw id).--folder to put a group on an existing agent (shared base/separate
conversations); use a new --folder for a fully separate agent.--trigger to set a regex, or
--no-trigger-required for respond-to-everything.Folder naming: <channel>_<name-slug> (e.g. telegram_dev-team). Confirm each
name and folder with the user.
Read the config (<STATE_DIR>/openclaw.json or clawdbot.json) for settings
that map to v2 setup.
Check agents.defaults.userTimezone. If it's a valid IANA zone, write it to
.env as TZ=<timezone>. v2 reads TZ from .env (src/config.ts) and uses
it for cron/recurrence evaluation, so this matters for scheduled tasks.
Check agents.defaults.timeoutSeconds. v2's equivalent is CONTAINER_TIMEOUT
(env var, default 30 min) or per-group ncl groups config update. If the
OpenClaw value differs notably, note it; the user can set
CONTAINER_TIMEOUT=<ms> in .env.
OpenClaw per-channel allowFrom / dmPolicy / groupPolicy map onto v2's
model, which is not a JSON file. Each messaging group has an
unknown_sender_policy; access is granted via user_roles (owner/admin) and
agent_group_members. Map:
dmPolicy/groupPolicy: "open" → leave the default; no extra grants.
allowFrom / groupAllowFrom lists → for each allowed sender, upsert the
user and add them as a member of the relevant agent group via ncl:
ncl users create --id "<channel>:<handle>" --kind <channel> --display-name "<name>"
ncl members add --user "<channel>:<handle>" --group "<ag-id>"
dmPolicy: "disabled" → don't wire that chat (or leave it registered but
unwired).
The messaging groups register / init-first-agent create already default to
unknown_sender_policy = 'strict', so unknown senders are gated until you add
them. Show the user the OpenClaw allowlist and confirm who to grant before
running the commands.
Fully conversational — read files directly and discuss. Placement depends on the Phase 1 choice:
container/CLAUDE.md (seen by
all containers, read-only). Group specifics → that group's
groups/<folder>/CLAUDE.local.md.groups/<folder>/CLAUDE.local.md.Never edit a group's composed CLAUDE.md — it's regenerated each spawn. Edit
CLAUDE.local.md (or container/CLAUDE.md for the shared base).
Find workspace files at <STATE_DIR>/workspace/. If AGENT_COUNT > 1, also
check <STATE_DIR>/agents/*/workspace/ and ask which agent maps to which v2
agent group.
Read them. Distinguish always-loaded vs reference:
container/CLAUDE.md (shared) or the group's CLAUDE.local.md (separate).groups/<folder>/soul.md, with a one-line pointer in CLAUDE.local.md:
"Extended personality is in soul.md."Show proposed edits before applying — this is a thoughtful merge, not a paste.
Create groups/<folder>/user-context.md and add a pointer in CLAUDE.local.md.
Ask whether any critical facts (name, timezone, key prefs) should go directly
into CLAUDE.local.md for always-on awareness.
Show MEMORY.md; keep relevant items in groups/<folder>/memories.md with a
pointer. For daily files (workspace/memory/*.md, count = DAILY_MEMORY_FILES):
AskUserQuestion: "You have N daily memory files. How to handle them?"
cp <workspace>/memory/*.md <group_dir>/daily-memories/,
add a pointer in CLAUDE.local.md.memories.md.If SKILL_COUNT > 0, the SKILL.md format is shared, so skills are portable.
Present each (name + description from the front matter) and let the user pick.
For each confirmed skill, copy the directory into the container skills tree:
cp -r <skill_source_dir> container/skills/<skill_name>
A container rebuild is needed afterward — note it for Phase 8.
If CONFIG_PLUGINS is non-empty, OpenClaw had plugins/skills carrying keys.
For each, read the config section and decide together:
ncl groups config add-mcp-server. Don't guess at packages.Don't install unknown packages or search for replacements — supply-chain risk.
Two destinations, decided per credential. Channel tokens → .env (host
reads them). Container-facing API credentials → the OneCLI vault (injected
per request, never in container env).
Preview, then write to .env. The script emits only masked values:
pnpm exec tsx ${CLAUDE_SKILL_DIR}/scripts/extract-channel-credentials.ts \
--state-dir <STATE_DIR> --channel <name>
Parse the status block. DESTINATION: env confirms a host-side token. Show
CREDENTIAL_MASKED (and CREDENTIAL_MASKED_2 for Slack's app token).
AskUserQuestion:
--write-env .env to save it..env yourself.pnpm exec tsx ${CLAUDE_SKILL_DIR}/scripts/extract-channel-credentials.ts \
--state-dir <STATE_DIR> --channel <name> --write-env .env
Check WRITTEN_TO / WRITTEN_COUNT. Slack writes both SLACK_BOT_TOKEN and
SLACK_APP_TOKEN in one run.
If HAS_CREDENTIAL=false but a credential is expected: the config shape may
be unrecognized, or it uses a file/exec SecretRef (CREDENTIAL_SOURCE
ends in _ref with a NOTE) that can't be auto-extracted. Read the channel
section of the config directly and ask the user to confirm or paste the value.
WhatsApp: authenticates via QR/pairing code — there's no token. Don't copy
Baileys auth state (stale encryption sessions break decryption).
Re-authenticate during /setup via /add-whatsapp. The extraction script
reports DESTINATION: none for it.
Find the agent's model credentials in OpenClaw. Check, in order:
<STATE_DIR>/auth-profiles.json (and
<STATE_DIR>/agents/<id>/agent/auth-profiles.json) — a profiles map keyed
provider:identifier. For an anthropic provider profile the value depends
on type: api_key → key, token → token, oauth → access.<STATE_DIR>/.env — ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN.models.providers — Anthropic provider apiKey.These are container-facing, so they go to the OneCLI vault. Do not write
them to .env or thread them into a container. Register each in the vault:
onecli secrets create --name Anthropic --type anthropic \
--value <key-or-token> --host-pattern api.anthropic.com
For other container-facing keys discovered in plugins (e.g. OpenAI):
onecli secrets create --name OpenAI --type api_key \
--value <key> --host-pattern api.openai.com
Run the command on the user's behalf so the value never lands in the chat
transcript; confirm with onecli secrets list.
Caveats: keyRef/tokenRef with source:"exec" or source:"file" can't
be auto-extracted — ask the user to paste it. For an oauth profile with a
past expiry, warn that the token may need refreshing; the user can run
claude setup-token and register the fresh token.
If OneCLI isn't installed yet, defer this: tell the user that during /setup
(or /init-onecli) they'll register the Anthropic credential, and note the
discovered profile in migration-state.md so it isn't lost.
If the user explicitly wants
.env-based credentials instead of the OneCLI vault, that's the/use-native-credential-proxyopt-out — the one place credentials are read from.envand injected into container requests without OneCLI. Only go there if the user asks for it.
Read <STATE_DIR>/cron/jobs.json. If absent or empty, skip.
If jobs exist, read ${CLAUDE_SKILL_DIR}/MIGRATE_CRONS.md for the v2 task
model, the mapCronToRecurrence transform, the full field mapping, and how
tasks are created (the agent's schedule_task MCP tool, since tasks live in a
per-session inbound.db the host owns). Follow it for each enabled job.
Read the relevant config sections directly. Conversational.
If MCP_SERVERS is non-empty, v2 supports per-agent-group MCP servers via the
container config. Read each server's command/args/env/url from
mcp.servers. For each one the user wants:
ncl groups config add-mcp-server --id <agent-group-id> \
--name <server-name> --command <cmd> \
[--args '<json-array>'] [--env '<json-object>']
stdio servers must be runnable inside the container (Node/npx-based work;
custom binaries need a Dockerfile addition). Secrets referenced by a server's
env should go to the OneCLI vault (Phase 4), not be inlined. The config
change takes effect on restart: ncl groups restart --id <agent-group-id>
(add --rebuild only if a custom binary was added to the Dockerfile).
OpenClaw cron.webhook / failureDestination / channel webhooks don't map to
a v2 primitive. For a notification webhook, fold it into a scheduled task's
prompt or a pre-agent script that curls the endpoint. Discuss the use case.
init-first-agent (Phase 1) already queued a welcome DM for the primary owner
agent. If the service was up, the owner should have received it. For groups
registered via setup --step register, the wiring also queues a /welcome
onboarding message on first wiring.
Tell the user which agents are live now and which await channel installation (unsupported channels registered for the future).
Copy the transform module and its test into the project so vitest runs them against the composed install, then build and test:
cp ${CLAUDE_SKILL_DIR}/scripts/transform.ts scripts/openclaw-transform.ts
cp ${CLAUDE_SKILL_DIR}/scripts/transform.test.ts scripts/openclaw-transform.test.ts
# Point the copied test at the copied module name:
sed -i.bak "s#from './transform.js'#from './openclaw-transform.js'#" scripts/openclaw-transform.test.ts && rm -f scripts/openclaw-transform.test.ts.bak
pnpm run build
pnpm exec vitest run scripts/openclaw-transform.test.ts
The test guards the skill's two v2 integration assumptions: credential routing
(container-facing → vault, channel tokens → .env) and the cron → v2
recurrence mapping. It imports the real cron-parser (the same parser the host
recurrence sweep uses), so a missing/renamed dependency turns it red. build
typechecks the transform module against the project.
These copied files are the only files the skill installs into the project tree;
REMOVE.md deletes them.
If OpenClaw skills were copied or MCP servers added: ./container/build.sh,
then restart the service.
Print what was migrated:
users / user_roles / agent group + welcome DM.env TZ; container timeout → notedcontainer/CLAUDE.md (shared) or per-group
CLAUDE.local.md + soul.mduser-context.md / memories.md / daily-memories/container/skills/.env (list channels)Noted for later: channel installs during /setup; container rebuild if needed;
tasks deferred until a session exists.
Not applicable: unsupported channels (registered for the future); OpenClaw-only features (exec approvals, human delay, TTS, model/thinking config).
Remind: "Run /setup next to finish your NanoClaw install. Channel tokens are
in .env; container-facing credentials are in the OneCLI vault. Select the
channels we configured when setup asks."
Then delete migration-state.md (or offer to keep it as a record), and remove
the copied transform files if you don't want them lingering (see REMOVE.md).
file/exec SecretRef — ask the user to
paste the value.init-first-agent can't reach the CLI socket: the service isn't running.
Start it, then re-run.Extracts user customizations from a fork, generates a replayable migration guide, and upgrades to upstream by reapplying customizations on a clean base. Replaces merge-based upgrades with intent-based migration.
Efficiently bring upstream NanoClaw updates into a customized install, with preview, selective cherry-pick, and low token usage.
Add Ollama MCP server so the container agent can call local models and optionally manage the Ollama model library.
Opt out of the OneCLI gateway and supply Anthropic credentials from .env instead. For users who want simple .env-based credential management without the OneCLI agent vault. Reads the API key or OAuth token from .env and injects it into the container's API requests.
Add Atomic Chat MCP server so the container agent can call local models served by the Atomic Chat desktop app via its OpenAI-compatible API.
Add Google Calendar as an MCP tool (list calendars, list/search/create events, free/busy queries) using OneCLI-managed OAuth. Multi-calendar and multi-account supported. Mirrors /add-gmail-tool's stub pattern — no raw credentials ever reach the container; OneCLI injects real tokens at request time.