← 返回
未分类 Key 中文

OpenClaw WebDAV Backup

Backup and restore an OpenClaw workspace with incremental backups, integrity verification, health checks, optional config encryption and optional WebDAV uplo...
备份和恢复 OpenClaw 工作区,支持增量备份、完整性校验、健康检查,可选配置加密和可选 WebDAV 上传。
ifox2046 ifox2046 来源
未分类 clawhub v1.3.0 2 版本 100000 Key: 需要
★ 0
Stars
📥 498
下载
💾 0
安装
2
版本
#backup#export#latest#migration#restore#security#webdav

概述

OpenClaw WebDAV Backup

Lightweight backup/restore skill for OpenClaw.

It covers:

  • local backup archives (full and incremental)
  • multi-level backup strategies (smart, daily, hourly)
  • optional encryption for openclaw.json
  • optional WebDAV upload
  • restore from local backup archives
  • backup version management (list, select, delete)
  • backup integrity verification
  • configuration health checks
  • lightweight scheduled backup guidance
  • optional Telegram notifications for backup success/failure

It does not provide WebDAV storage. The user must supply their own WebDAV endpoint and credentials.

When to use this skill

Use this skill when the user asks to:

  • back up OpenClaw (full or incremental)
  • restore OpenClaw from backup
  • migrate OpenClaw to a new VM or machine
  • protect backup configs with encryption
  • upload backups to a self-provided WebDAV target
  • schedule daily or periodic backups
  • receive Telegram notifications for scheduled backup success/failure
  • prepare a simple disaster-recovery workflow
  • check backup configuration health
  • verify backup integrity
  • manage backup versions (list, delete old backups)

Implementation layout

Canonical implementation lives inside the skill:

  • scripts/openclaw-backup.impl.sh
  • scripts/openclaw-restore.impl.sh

Thin wrapper scripts may also exist in the workspace and call these implementations. Keep the skill scripts as the source of truth.

Default workflow

1. Local backup (full)

bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh

2. Incremental backup with smart strategy

Auto-determines level based on day:

  • Sunday: Level 0 (full backup)
  • Monday-Saturday: Level 1 (incremental)
# Smart strategy (recommended for cron)
BACKUP_STRATEGY=smart bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh

# Or explicitly set level
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --level=1

3. Encrypted backup + WebDAV upload

🔴 CHECKPOINT: Confirm with the user before uploading to any remote WebDAV target. This operation sends potentially sensitive data (including encrypted configs) to an external server. Only proceed after explicit user confirmation.

Prepare .env.backup with the user's own WebDAV settings, then run:

bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --encrypt-config --upload

Only do real upload after confirming the user wants to write to the remote WebDAV target.

4. Restore from a local backup set

🛑 STOP: Restore will overwrite current workspace files. Before proceeding, confirm with the user:

  1. The backup path is correct
  2. They have a current backup of the current state (in case rollback is needed)
  3. They understand this is a destructive operation on the workspace directory
bash skills/openclaw-webdav-backup/scripts/openclaw-restore.sh --from backups/openclaw/latest --decrypt-config

⚠️ Failure Mode Encoding

If any backup, upload, restore, or notification operation fails, follow the table below:

Trigger ConditionFirst-Line FixIf Still Failing (Fallback)
------------------------------------------------------------
WebDAV upload fails (curl error)Retry with --retry 3, verify .env.backup credentialsFall back to local-only backup, notify user with error details
Backup integrity check fails (tar -tzf error)Report specific archive corruption path, do NOT proceed with restoreSuggest manual inspection of the backup directory and logs
Encryption fails (openssl unavailable)Check openssl version and install if missingFall back to unencrypted backup with a clear security warning
Restore source missing or corruptedVerify backup path exists with ls -laList available backups for user to select an alternative
Disk space insufficient for backupRun df -h . and suggest cleanupAbort with available-space-required message and suggestions
Notification send fails (Telegram/WeCom/Feishu)Check network, verify token/key in .env.backup.notifyLog failure locally and continue; backup itself is not affected
Compression tool unavailable (pigz/pzstd)Auto-fallback to gzip/zstd (single-threaded)Log warning about degraded performance, proceed with gzip

Backup Strategies

The skill supports multiple backup strategies via BACKUP_STRATEGY environment variable:

StrategyDescriptionLevel Behavior
---------------------------------------
full (default)Always full backupLevel 0
weeklyWeekly full backupLevel 0
dailyDaily with auto-incrementalLevel 0 once, then Level 1
smartRecommended for productionSunday=Level 0, Mon-Sat=Level 1
hourlyFine-grained incrementalLevel 0 → 1 → 2 chain

Level Explanation

  • Level 0: Full backup (tar creates complete archive + snapshot file)
  • Level 1: Incremental backup (only files changed since Level 0)
  • Level 2: Incremental backup (only files changed since Level 1)

Cron Examples

# Smart strategy: Sunday full, weekdays incremental
0 0 * * 0 BACKUP_STRATEGY=smart /path/to/openclaw-backup.sh --upload
30 3 * * 1-6 BACKUP_STRATEGY=smart /path/to/openclaw-backup.sh --upload

# Weekly full only
0 3 * * 0 BACKUP_STRATEGY=weekly /path/to/openclaw-backup.sh --upload

# Daily with auto-level detection
0 3 * * * BACKUP_STRATEGY=daily /path/to/openclaw-backup.sh

Manual Level Control

Override auto-detection with --level flag:

bash openclaw-backup.sh --level=0  # Force full backup
bash openclaw-backup.sh --level=1  # Force incremental (level 1)

Compression Options

The skill supports multiple compression tools with automatic detection of parallel variants:

OptionToolThreadsNotes
------------------------------
gzipgzip1Standard, widely available
pigzpigzNParallel gzip, 3-5x faster
zstdzstd1High compression ratio
pzstdpzstdNParallel zstd, fastest option

Auto-Detection

By default, the skill auto-detects the best available compressor:

# Prefers pigz > gzip, pzstd > zstd
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh

Explicit Selection

Force a specific compressor:

bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --compress=pigz
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --compress=pzstd

Parallel Jobs

Control the number of compression threads (default: auto-detect CPU cores):

# Use 8 threads explicitly
PARALLEL_JOBS=8 bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh

# Or via CLI
bash skills/openclaw-webdav-backup/scripts/openclaw-backup.sh --jobs=8

Installation

Install parallel compression tools for best performance:

# Ubuntu/Debian
sudo apt-get install pigz zstd

# macOS
brew install pigz zstd

# CentOS/RHEL
sudo yum install pigz zstd

Backup Notifications

The skill supports multiple notification channels for backup success/failure alerts.

Supported Channels

ChannelStatusConfiguration
--------------------------------
Telegram✅ ReadyBot token + Chat ID
WeCom (企业微信)✅ ReadyWebhook key
Feishu (飞书)✅ ReadyWebhook token

Quick Setup

  1. Copy the example config:
  2. cp references/env.backup.notify.example .env.backup.notify
    
  1. Edit .env.backup.notify with your channel settings:

Telegram Setup

BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="telegram"
BACKUP_NOTIFY_TELEGRAM_CHAT_ID="123456789"
BACKUP_NOTIFY_TELEGRAM_BOT_TOKEN="123456:your-bot-token"  # Optional, can auto-detect

WeCom (企业微信) Setup

BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="wecom"
BACKUP_NOTIFY_WECOM_KEY="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
BACKUP_NOTIFY_WECOM_MENTION="13800138000,13900139000"  # Optional: mobile numbers

Get webhook key from: Group Settings → Add Robot → Copy Webhook URL key

Feishu (飞书) Setup

BACKUP_NOTIFY=1
BACKUP_NOTIFY_CHANNEL="feishu"
BACKUP_NOTIFY_FEISHU_TOKEN="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
BACKUP_NOTIFY_FEISHU_SECRET="your-secret"  # Optional: if signature enabled

Get webhook token from: Group Settings → Add Bot → Copy Webhook URL token

Notification Content

Notifications include:

  • Backup status (✅ success / ❌ failure)
  • Timestamp and backup type
  • Local backup location
  • Encryption status
  • WebDAV upload status
  • Retention settings

🚫 Anti-Patterns & Blacklist

Do NOT do the following when using or maintaining this skill:

🚫 Anti-PatternWhyCorrect Approach
-------------------------------------
Commit .env.backup or .env.backup.secret to gitLeaks WebDAV credentials and encryption keys permanentlyAdd to .gitignore; only share via secure channel
Hardcode real credentials in example filesExamples get copied into scripts and committedAlways use placeholder values (your_webdav_url, your_password)
Run restore without user confirmationOverwrites the current workspace irreversiblyUse --dry-run first, then confirm with user
Delete old backups without askingUser may need older backups for audit/recoveryList available versions, let user choose which to delete
Upload unencrypted openclaw.json to remoteContains API keys, tokens, and secretsAlways use --encrypt-config before --upload
Run destructive operations without --dry-runNo way to preview what will happenAlways offer dry-run first; restore supports --dry-run flag
Include real tokens in .env.backup.notify examplesNotification tokens can be misused if leakedUse placeholder values in docs; store real values separately

🔴 Critical Checkpoints

The following operations require explicit user confirmation before proceeding:

OperationCheckpointRisk Level
----------------------------------
WebDAV uploadConfirm remote target and data sensitivity🔴 High
Restore from backupConfirm backup path, destructive nature, current state backup🔴 High
Encrypted config backupConfirm encryption password is recoverable🟡 Medium

Important behavior notes

  • openclaw.json may contain secrets, tokens, and API keys
  • prefer --encrypt-config before remote upload
  • .env.backup stores WebDAV connection settings and should not be committed
  • .env.backup.secret is optional; it is only a convenience carrier for BACKUP_ENCRYPT_PASS
  • .env.backup.notify is optional and enables backup notifications when configured
  • restore depends on the decryption password itself, not on the secret file specifically
  • for encrypted backups, .env.backup.secret and the password are either/or: either keep the file, or remember/provide the password
  • workspace backups exclude .env.backup and .env.backup.secret
  • local and remote retention are supported through LOCAL_KEEP and REMOTE_KEEP

Read references when needed

  • For usage, included files, and backup examples: read references/backup.md
  • For restore/decrypt flow and restore checks: read references/restore.md
  • For automation with cron/systemd: read references/scheduling.md
  • For migration/disaster-recovery planning: read references/migration-plan.md
  • For common user questions and boundary clarifications: read references/faq.md
  • For config template examples: read references/env.backup.example, references/env.backup.secret.example, and references/env.backup.notify.example

Validated behaviors

This skill has been validated against a real OpenClaw setup for:

  • local backup creation
  • encrypted config backup
  • WebDAV upload
  • local and remote retention
  • restore drill to a simulated fresh-machine home directory
  • cron-based scheduled backup
  • Telegram notification on backup success
  • backup integrity verification
  • configuration health checks

Health Check & Integrity Verification

Configuration Health Check

Run scripts/openclaw-healthcheck.sh to diagnose backup environment:

bash skills/openclaw-webdav-backup/scripts/openclaw-healthcheck.sh

Checks performed:

CheckDescription
--------------------
Base Environmentworkspace dir, state dir, openclaw.json, extensions
Backup Infrastructurebackup root, snapshot dir, existing backups
Dependenciestar, curl, openssl availability
Configuration.env.backup, .env.backup.secret variables
Backup IntegrityValidates all existing tar.gz archives

Exit codes:

  • 0 - All checks passed
  • 1 - One or more critical checks failed

Backup Integrity Verification

Every backup automatically runs integrity checks:

  1. Archive validation - tar -tzf verifies archive structure
  2. Manifest verification - Confirms manifest.txt exists
  3. Metadata check - Confirms workspace.meta exists

Failed integrity checks will abort the backup with error status.

To manually verify a specific backup:

tar -tzf backups/openclaw/2026-04-02-030000/workspace.tar.gz >/dev/null && echo "Valid" || echo "Corrupted"

Restore with Integrity Check

When restoring, verify the backup before extraction:

# Check integrity first
bash scripts/openclaw-restore.sh --from <backup_dir> --dry-run

# Then perform actual restore
bash scripts/openclaw-restore.sh --from <backup_dir>

Private-share checklist

Before sharing this skill privately, verify:

  • no real .env.backup or .env.backup.secret is included
  • no real WebDAV URL, username, password, token, or backup passphrase remains in tracked files
  • examples use placeholder values only
  • docs state clearly that WebDAV storage is user-provided
  • restore wording states password and secret file are either/or, not both required
  • references match actual script behavior

Scope

This skill intentionally stays lightweight. It supports:

  • local backup and restore
  • optional config encryption
  • optional WebDAV upload
  • local and remote retention
  • password-based restore with optional secret file automation

It does not currently provide:

  • built-in WebDAV provisioning
  • secret-manager integration
  • fully automatic remote download-and-restore flow
  • multi-target cloud replication

版本历史

共 2 个版本

  • v1.3.0 当前
    2026-06-03 13:06 安全 安全
  • v1.2.7
    2026-05-03 06:04 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,699
it-ops-security

OpenClaw Backup

alex3alex
备份与恢复 OpenClaw 数据。适用于创建备份、设置自动备份计划、从备份恢复或管理备份轮转。处理 ~/.openclaw 目录归档并包含适当的排除规则。
★ 90 📥 31,042
it-ops-security

Free Ride - Unlimited free AI

shaivpidadi
管理OpenClaw的OpenRouter免费AI模型,自动按质量排名模型,配置速率限制备用方案,并更新opencla...
★ 471 📥 78,390