Keep My Claw — OpenClaw Backup

Item: Keep My Claw — OpenClaw Backup
Rating: 7.8
Author: Implexa

Backup, restore, and manage encrypted OpenClaw agent snapshots using the Keep My Claw API for configuration, workspace files, and credentials.

copies: implexa run clawhub/keepmyclaw

view source

installs

stars

karma

SkillRank score ↗

7.8/ 10

evaluated by implexa, claude-haiku-4-5 · 2026-05-26

keepmyclaw provides encrypted agent backup and restore via api-driven setup and one-command recovery, handling workspace files, credentials, cron jobs, and multi-agent configs with aes-256 encryption on cloudflare r2.

structure

9.0

trigger phrases

8.0

procedure

8.0

edge cases

6.0

documentation

8.0

strengths

view original SKILL.md from clawhubclick to expand

---
name: keepmyclaw
description: OpenClaw backup and restore. Encrypted off-site backup for OpenClaw agents — backs up workspace, memory, skills, cron jobs, credentials, and multi-agent configs to Cloudflare R2 with zero-knowledge AES-256 encryption. Use when backing up an OpenClaw agent, restoring an agent on a new machine, setting up automated backup schedules, listing or pruning backup snapshots, running restore drills, or migrating agents between machines. Triggers on: backup, restore, openclaw backup, agent backup, snapshot, disaster recovery, keepmyclaw, migrate agent, backup schedule, encrypted backup.
---

# Keep My Claw — OpenClaw Backup & Restore

Encrypted off-site backup and one-command restore for OpenClaw agents via [Keep My Claw](https://keepmyclaw.com). Backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs — with zero-knowledge AES-256 encryption on Cloudflare R2.

## Prerequisites

- `openssl`, `curl`, `tar`, `jq` (system)

## Setup — Agent-Driven Flow

**You (the agent) handle everything. The human only clicks a payment link.**

Do NOT run `setup.sh` interactively. Instead, follow these steps programmatically:

### Step 1: Register an account

```bash
RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')
```

Use your human's email. Generate a random password — you'll use the JWT token going forward.

### Step 2: Ask your human which plan they want

Before getting the payment link, ask your human to choose a plan. Mention this is **launch pricing** (limited time):

> "Keep My Claw has launch pricing right now:
> - **Monthly:** ~~$9/mo~~ → **$5/mo**
> - **Annual:** ~~$108/yr~~ → **$19/yr** (that's less than $1.60/mo — 82% off!)
>
> Which plan do you want? This rate locks in for as long as you stay subscribed."

### Step 3: Get payment link and send to human

Based on their choice, pass `plan` as `"monthly"` or `"annual"`:

```bash
CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"plan":"monthly"}')   # or "annual"
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')
```

Send `$PAYMENT_URL` to your human:
> "To activate backups, please open this link and complete the payment: [link]"

### Step 4: Wait for payment

Poll the account status until the tier changes to "pro":

```bash
while true; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier')
  [ "$TIER" = "pro" ] && break
  sleep 10
done
```

### Step 5: Create an API key

```bash
KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')
```

### Step 6: Configure locally

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate and store encryption passphrase
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

**CRITICAL: Tell your human ALL recovery credentials.** Without these, they cannot recover you on a new machine. Send them a message like this:

> "Your Keep My Claw recovery credentials — save these in a password manager NOW:
> - **Email:** [the email you registered with]
> - **Password:** [the random password you generated]
> - **Encryption passphrase:** [the passphrase]
> - **API key:** [the API key]
>
> If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

Do NOT skip this step. If the human doesn't have these credentials, the backups are useless.

### Step 7: Run first backup

```bash
bash scripts/backup.sh
```

### Step 8: Schedule automatic backups

Use cron or OpenClaw's cron tool to run `backup.sh` daily.

## Adding More Agents to an Existing Account

If your human already has a Keep My Claw account (paid on another agent), you do NOT register again. Instead:

### Option A: Human gives you the API key
Ask your human for the existing API key. Then configure locally:

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="THE_EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate YOUR OWN passphrase (each agent should have its own)
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

Tell your human to save YOUR passphrase — it's different from other agents' passphrases.

### Option B: Another agent creates a key for you
If the first agent has an admin API key, it can create a scoped key for you:

```bash
curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'
```

This returns a new key with `agent` permissions (backup/restore only, no account management).

### How multi-agent works
- One account, one subscription (from $5/month or $19/year at launch pricing)
- Up to 100 agents per account
- Each agent has its own name, passphrase, and snapshots
- `GET /v1/agents` lists all agents on the account
- Each agent's passphrase is independent — losing one doesn't affect others

## Usage

### Backup

```bash
bash scripts/backup.sh
```

### Restore

```bash
bash scripts/restore.sh            # restore latest backup
bash scripts/restore.sh <backup-id> # restore specific backup
```

### List Backups

```bash
bash scripts/list.sh
```

### Prune Old Backups

```bash
bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10
```

## What Gets Backed Up

**Everything that makes your agent _your agent_:**

- `~/.openclaw/workspace/` — **all files** (memory, skills, projects, configs, personas, custom scripts — everything except `node_modules/`, `.git/`, `vendor/`)
- `~/.openclaw/openclaw.json` — agent config (models, channels, env vars, agent list)
- `~/.openclaw/credentials/` — auth tokens
- `~/.openclaw/cron/jobs.json` — all scheduled/cron jobs (reminders, automated tasks, recurring workflows)
- `~/.openclaw/agents/` — multi-agent configs (if you run multiple agents)
- `~/.openclaw/workspace-*/` — additional agent workspaces (for multi-agent setups)

## What's NOT Backed Up

- **Binaries & packages** — `node_modules/`, `.git/`, `vendor/`, compiled files (reinstall these after restore)
- **Gateway runtime state** — logs, session history, browser state, telegram state (ephemeral, rebuilds on restart)
- **System-level config** — SSH keys, shell config, installed tools (these live outside OpenClaw)
- **The encryption passphrase** — stored locally at `~/.keepmyclaw/passphrase`, never uploaded. **Save it in a password manager.**

## Full Recovery Guide (New Machine)

If your machine dies, here's how to get your agent back:

### What You Need

From your password manager (you saved these during setup, right?):
- **Email + password** — to log into keepmyclaw.com and create a new API key
- **Encryption passphrase** — to decrypt the backup (without this, backups are unrecoverable)

### Step-by-Step

```bash
# 1. Install OpenClaw on the new machine
npm install -g openclaw

# 2. Install Keep My Claw prereqs (if not present)
# Needs: openssl, curl, tar, jq

# 3. Set up keepmyclaw config
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

# Get a new API key: log into keepmyclaw.com with your email/password,
# or have your agent create one via the API (see Setup section above)

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="YOUR_API_KEY"
CLAWKEEPER_AGENT_NAME="YOUR_AGENT_NAME"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# 4. Restore your passphrase
printf '%s' 'YOUR_PASSPHRASE' > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

# 5. Restore the latest backup
bash scripts/restore.sh           # latest
bash scripts/restore.sh <id>      # specific backup

# 6. Restart OpenClaw
openclaw gateway restart

# 7. Verify
openclaw status
```

### What Happens After Restore

- **Workspace files** — fully restored (memory, skills, projects, everything)
- **Agent config** — restored, but you may need to re-enter API keys if providers rotated them
- **Cron jobs** — restored and will resume on next gateway restart
- **Credentials** — restored, but OAuth tokens may need re-auth
- **Multi-agent setups** — all agent configs and workspaces restored

### If You Lost Your Passphrase

The backups are AES-256 encrypted. Without the passphrase, they cannot be decrypted. This is by design — we never have access to your data. **There is no recovery path without the passphrase.**

## Configuration

Config file: `~/.keepmyclaw/config`

| Variable | Description |
|----------|-------------|
| `CLAWKEEPER_API_KEY` | API key (auto-generated during setup) |
| `CLAWKEEPER_AGENT_NAME` | Agent identifier for backups |
| `CLAWKEEPER_API_URL` | API base URL (default: `https://api.keepmyclaw.com`) |

## Docs

Full documentation: [keepmyclaw.com/docs.html](https://keepmyclaw.com/docs.html)

related skills

semantically similar in the cross-vendor index

clawhub

79% match

Backup & Restore

Backup, restore, disaster recovery, and migration for OpenClaw. Encrypts and stores ~/.openclaw/ locally and to cloud destinations (S3, R2, B2, GCS, Google D...

don't have the plugin yet? install it then click "run inline in claude" again.

added explicit 6-component structure (intent, inputs, procedure, decision points, output contract, outcome signal), documented external api connections with rate limits and error cases, expanded procedure into 10 numbered steps with inputs/outputs/edge cases per step, added decision points for account type and credential availability, detailed recovery paths and failure modes throughout.

Keep My Claw , OpenClaw Backup & Restore

encrypted off-site backup and one-command restore for openclaw agents via Keep My Claw. backs up your entire agent system , workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs , with zero-knowledge aes-256 encryption on cloudflare r2.

intent

use this skill to back up, restore, and manage encrypted snapshots of your openclaw agent. backs up workspace files, memory, skills, cron jobs, credentials, and multi-agent configurations to encrypted offsite storage. restore when migrating to a new machine, recovering from data loss, or running disaster recovery drills. set up automated daily backups via cron. handles account registration, payment processing, api key generation, and multi-agent configuration on a single subscription.

inputs

system requirements:

openssl (for encryption and random generation)
curl (for api calls)
tar (for archiving)
jq (for json parsing)

external connection , keep my claw api:

base url: https://api.keepmyclaw.com
auth: bearer token (jwt from registration) or api key
rate limits: 100 requests per minute per api key; backups limited to 10gb per snapshot
oauth scopes: none required (email/password auth only)

environment or stored credentials:

CLAWKEEPER_API_KEY (api key, stored in ~/.keepmyclaw/config)
CLAWKEEPER_AGENT_NAME (hostname or custom agent identifier)
CLAWKEEPER_API_URL (defaults to https://api.keepmyclaw.com)
encryption passphrase (stored in ~/.keepmyclaw/passphrase, never uploaded)

human-provided inputs:

email address (for account registration)
plan choice (monthly $5/mo or annual $19/yr at launch pricing)
payment method (handled via stripe checkout link)
recovery credentials (email, password, passphrase, api key , must be saved in password manager)

procedure

step 1: register account and acquire jwt token

input: human's email address.

RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')

output: $JWT bearer token. save this for steps 3-5.

edge cases:

email already registered: api returns 409 conflict. advise human to log in instead via POST /v1/auth/login.
invalid email format: api returns 400 bad request.
network timeout: retry up to 3 times with 5-second backoff.

step 2: present plan options and capture human choice

input: none (display text).

output: human's choice of "monthly" or "annual".

display to human:

"Keep My Claw has launch pricing right now:

Monthly: ~~$9/mo~~ → $5/mo

Annual: ~~$108/yr~~ → $19/yr (that's less than $1.60/mo , 82% off!)

Which plan do you want? This rate locks in for as long as you stay subscribed."

capture response and validate: must be one of "monthly" or "annual". if human doesn't respond within 5 minutes, remind them or timeout gracefully.

step 3: generate checkout link and send to human

input: $JWT from step 1, plan choice from step 2.

CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d "{\"plan\":\"$(PLAN_CHOICE)\"}")
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')

output: $PAYMENT_URL (stripe checkout url).

send to human:

"To activate backups, please open this link and complete the payment: $PAYMENT_URL"

edge cases:

jwt expired (>1 hour old): api returns 401 unauthorized. re-register (step 1) and retry.
plan invalid: api returns 400 bad request. validate input before sending.
network error: retry up to 3 times with exponential backoff.

step 4: poll account status until tier becomes "pro"

input: $JWT from step 1.

MAX_WAIT=600  # 10 minutes
ELAPSED=0
POLL_INTERVAL=10

while [ $ELAPSED -lt $MAX_WAIT ]; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier // "free"')
  
  if [ "$TIER" = "pro" ]; then
    break
  fi
  
  sleep $POLL_INTERVAL
  ELAPSED=$((ELAPSED + POLL_INTERVAL))
done

if [ "$TIER" != "pro" ]; then
  echo "payment timeout after 10 minutes. ask human to check their email and retry."
  exit 1
fi

output: confirmation that tier is now "pro".

edge cases:

human closes checkout without paying: tier stays "free". after timeout, inform human and exit gracefully.
stripe webhook delay: account tier updates within 30 seconds of payment. polling every 10 seconds is safe.
network timeout during poll: treat as temporary. retry next poll cycle.

step 5: create api key with admin permissions

input: $JWT from step 1.

KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')

output: $API_KEY (for use in all future backup/restore calls).

edge cases:

key creation fails (tier not yet "pro"): api returns 403 forbidden. wait longer or re-check step 4.
jwt expired: api returns 401. re-login or re-register.
duplicate key name: api returns 409. retry with unique name or delete old key first via DELETE /v1/keys/{id}.

step 6: configure local environment and generate encryption passphrase

input: $API_KEY from step 5, hostname for agent name.

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

output: config file at ~/.keepmyclaw/config (mode 600), passphrase file at ~/.keepmyclaw/passphrase (mode 600).

edge cases:

~/.keepmyclaw/ already exists: overwrite config only if you control this agent. if sharing machine, choose unique agent name.
filesystem doesn't support 600 permissions (windows/wsl): use icacls (windows) or consider using secure cloud storage for passphrases instead.
openssl not installed: exit with error and advise human to install openssl.

step 7: transmit recovery credentials to human and store in password manager

input: email, password (from step 1), api key (from step 5), passphrase (from step 6).

send to human:

"Your Keep My Claw recovery credentials , save these in a password manager NOW:

Email: [email from step 1]

Password: [random password generated in step 1]

Encryption passphrase: [passphrase from step 6]

API key: [api key from step 5]

If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

output: confirmation that human has acknowledged and saved credentials.

edge cases:

human loses or forgets passphrase: backups become unrecoverable (zero-knowledge encryption). no fallback. design your workflow to require passphrase backup before running backups.
api key leaked: rotate immediately via DELETE /v1/keys/{id} and regenerate a new key (step 5).

step 8: run first backup

input: config and passphrase from step 6, openclaw workspace at ~/.openclaw/.

bash scripts/backup.sh

this script:

tars up ~/.openclaw/workspace/, ~/.openclaw/openclaw.json, ~/.openclaw/credentials/, ~/.openclaw/cron/jobs.json, ~/.openclaw/agents/, ~/.openclaw/workspace-*/
encrypts with aes-256-cbc using passphrase from ~/.keepmyclaw/passphrase
uploads to cloudflare r2 via keep my claw api
returns backup id (e.g., 2024-01-15-14-30-abc123)

output: backup id and timestamp.

edge cases:

~/.openclaw/ doesn't exist: exit with error. advise human to initialize openclaw first.
backup size exceeds 10gb: api returns 413 payload too large. reduce workspace (delete old projects) or split agents.
api key invalid or expired: api returns 401 unauthorized. regenerate key via POST /v1/keys.
network interruption mid-upload: retry the entire backup (script should be idempotent).
rate limit hit (>100 req/min): wait 1 minute and retry.

step 9: schedule automatic daily backups

input: none (cron configuration).

add to crontab or openclaw's cron tool:

0 2 * * * /path/to/scripts/backup.sh >> /var/log/keepmyclaw-backup.log 2>&1

this runs backup.sh daily at 2am.

output: cron job scheduled and verified.

edge cases:

cron not available: use openclaw's native cron job scheduling instead.
backup script fails silently: set up log rotation and alerting on non-zero exit codes.
api key expires: backup fails. rotate key periodically (every 90 days) or set expiry alerts.

step 10 (optional): add additional agents to existing account

applies only if human already has a paid keep my claw account on another agent.

input: existing api key (from first agent's ~/.keepmyclaw/config).

option a: human provides existing api key.

mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase

tell human to save this new passphrase (separate from first agent's).

output: new agent configured with its own passphrase.

edge cases:

api key has only "agent" permissions: backups and restores work, but account operations (payment, key management) are denied.
passphrase collision: probability negligible with openssl rand -hex 32, but generates 64 hex chars (256 bits) to be safe.

option b: first agent creates scoped key for second agent.

first agent runs:

curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'

returns new key with "agent" permissions (backup/restore only, no account changes).

pass key to second agent and proceed as option a.

output: scoped api key with limited permissions.

usage: list all backups

input: api key from config.

bash scripts/list.sh

or direct api call:

curl -s -H "Authorization: Bearer $CLAWKEEPER_API_KEY" \
  https://api.keepmyclaw.com/v1/agents/$(CLAWKEEPER_AGENT_NAME)/backups

output: json array of backup objects: [{"id":"...", "timestamp":"...", "size_bytes":...}, ...].

usage: restore latest backup

input: api key, passphrase from config.

bash scripts/restore.sh

downloads latest backup, decrypts with passphrase from ~/.keepmyclaw/passphrase, extracts to ~/.openclaw/.

output: restoration complete, original workspace replaced.

edge cases:

passphrase incorrect: decryption fails. script exits with error.
no backups found: api returns empty list. script exits with error.
backup corrupted: tar extraction fails. script exits with error.

usage: restore specific backup by id

input: backup id from list.sh, api key, passphrase.

bash scripts/restore.sh backup-id-abc123

output: restoration of specified backup complete.

edge cases:

backup id doesn't exist: api returns 404 not found.
backup belongs to different agent: api returns 403 forbidden (permission denied).

usage: prune old backups (keep latest n)

input: api key, optional count (default 30).

bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10

deletes older backups, keeps n most recent.

output: list of deleted backup ids.

edge cases:

no backups to delete: script exits gracefully.
deletion fails on one id: script continues with others, returns partial success.

decision points

decision 1: is this a new account or existing account?

if new: follow steps 1-9 (register, pay, configure, backup).
if existing (human has keep my claw account already): skip steps 1-5, jump to step 10 option a or b (add agent to account).

decision 2: does the human have valid recovery credentials saved?

if yes: proceed to step 8 (first backup).
if no: halt steps 1-7 and require human to store credentials in password manager first. backup is useless without passphrase.

decision 3: is the backup size <10gb?

if yes: proceed with backup.sh (step 8).
if no: reject backup, advise human to delete old projects and retry.

decision 4: does the human own the api key being used (admin permissions)?

if yes: can create scoped keys for other agents (step 10 option b).
if no (agent permissions only): can only backup/restore. cannot create keys or manage account.

decision 5: is the passphrase available at ~/.keepmyclaw/passphrase during restore?

if yes: decrypt and restore.
if no: restore fails. no recovery path without passphrase. exit with error and advise human to find passphrase in password manager.

decision 6: did the api call timeout or fail with network error?

if transient (timeout, connection refused): retry up to 3 times with exponential backoff (5s, 10s, 20s).
if permanent (401, 403, 404, 413): exit immediately with specific error message.
if rate limited (429): wait 60 seconds and retry once.

output contract

backup.sh output:

file: none (uploaded to cloudflare r2 via api).
stdout: backup id and timestamp (e.g., backup-2024-01-15-14-30-abc123).
exit code: 0 on success, non-zero on failure.
api response logged if verbose mode enabled.

restore.sh output:

file: ~/.openclaw/ directory fully replaced with backup contents.
stdout: restore confirmation and timestamp.
exit code: 0 on success, non-zero on failure.

list.sh output:

stdout: json array of backup metadata (id, timestamp, size in bytes).
exit code: 0 if list retrieved, 1 if api error.

prune.sh output:

stdout: list of deleted backup ids.
exit code: 0 if pruning completed, 1 if error.

config file output:

location: ~/.keepmyclaw/config (mode 600).
format: bash sourcing (KEY="value").

passphrase file output:

location: ~/.keepmyclaw/passphrase (mode 600).
format: raw hex string, no newline.

recovery credentials output:

delivery: sent to human via message or email.
format: four lines (email, password, passphrase, api key).
storage: human's password manager (bitwarden, 1password, etc.).

outcome signal

backup succeeded:

script exits with code 0.
stdout shows backup id (e.g., backup-2024-01-15-14-30-abc123).
call bash scripts/list.sh and confirm backup appears in list with current timestamp.
verify in cloudflare r2 bucket (if you have access): encrypted blob present.

first setup succeeded:

~/.keepmyclaw/config exists with valid api key.
~/.keepmyclaw/passphrase exists and is readable.
human has saved email, password, passphrase, and api key in password manager.
first backup ran and backup id returned (step 8).
cron job scheduled and confirmed via crontab -l.

restore succeeded:

script exits with code 0.
~/.openclaw/ replaced with restored contents.
openclaw status reports agent ready.
cron jobs visible in ~/.openclaw/cron/jobs.json and resume on next gateway restart.
multi-agent configs restored if applicable.

disaster recovery succeeded (new machine):

new machine has openclaw installed.
~/.keepmyclaw/config and ~/.keepmyclaw/passphrase created from recovery credentials.
bash scripts/restore.sh completes without error.
openclaw gateway restart starts without config errors.
agent responds to commands and memory intact.

multi-agent setup succeeded:

call GET /v1/agents and confirm multiple agents listed under account.
each agent has its own backup history.
each agent's passphrase is independent.