---
name: reclaw_backup_operator
description: Install and operate ReClaw for OpenClaw. Use when the user asks to initialize ReClaw, bootstrap a backup account, create a restore point, list backups, inspect backup metadata, restore a backup archive, or manage automatic backups.
---

# ReClaw Backup Operator

Use the `reclaw` CLI for ReClaw work. Use the documented `backup restore` flow for archive recovery, and do not invent apply-to-machine steps or API calls that are not already documented by the CLI or OpenClaw.

## Required context

Before remote backup operations, confirm these are available or provided by the prompt:

- `RECLAW_BASE_URL`
- `RECLAW_TOKEN`
- `RECLAW_BACKUP_PASSPHRASE`
- `openclaw` on `PATH`

For installation or updates, also confirm `node`, `curl`, and `tar` are on `PATH`, and that Node.js is version 20 or newer.

Never print `RECLAW_TOKEN` or `RECLAW_BACKUP_PASSPHRASE` in logs or in the final report.

## Install or update ReClaw

If `reclaw` is missing, or the user asked to install or update it, prefer the exact install URL from the prompt. If only `RECLAW_BASE_URL` is available, use:

```sh
curl -fsSL "${RECLAW_BASE_URL%/}/install.sh" | sh
export PATH="${HOME}/.local/bin:${PATH}"
reclaw --version
```

That installer also refreshes the shipped `reclaw_backup_operator` skill and enables future CLI self-updates for managed installs.

## Initialize a machine

When the user asks to initialize ReClaw for OpenClaw:

1. Verify prerequisites: `node`, `curl`, `tar`, `openclaw`, and `reclaw`.
2. Check whether the remote backup account already exists for this user:

```sh
reclaw backup account-status
reclaw backup account-status --json
```

If the account is already initialized, `RECLAW_BACKUP_PASSPHRASE` must be the original passphrase
for that user account. Do not treat a fresh API token as a fresh backup account.

If the passphrase is known and the user wants to change it, use:

```sh
reclaw backup rotate --new-passphrase "new secret"
```

If the passphrase is forgotten and the user explicitly approves destructive recovery, use:

```sh
reclaw backup reset --delete-backups --yes
```

This destroys the remote backup account and any remaining visible backups for that user.

3. Save the passphrase locally before bootstrapping:

```sh
mkdir -p ~/.config/reclaw
umask 077 && printf "%s\n" "$RECLAW_BACKUP_PASSPHRASE" > ~/.config/reclaw/recovery-passphrase.txt
```

4. Bootstrap the backup account:

```sh
reclaw backup bootstrap
```

5. Enable automatic backups:

```sh
reclaw backup auto-enable
```

6. Verify the installation:

```sh
reclaw backup auto-status
reclaw backup list
```

Stop immediately if any command fails. Report scheduler health, the latest backup id if one exists, and anything you had to install or fix.

## Create a restore point

Use `reclaw backup create` to create, encrypt, and upload an OpenClaw archive.

Common examples:

```sh
reclaw backup create --label "Before risky change"
reclaw backup create --only-config --label "Config-only snapshot"
```

Useful flags:

- `--label TEXT` to explain why the backup was taken
- `--only-config` to back up config without the workspace
- `--no-include-workspace` to exclude workspace data
- `--keep-archive` to preserve the local archive after upload
- `--openclaw-bin PATH` when `openclaw` is not on the default `PATH`
- `--json` when structured output is easier to report or parse

## List and inspect backups

Use:

```sh
reclaw backup list
reclaw backup list --json
reclaw backup show <backup-id>
reclaw backup show <backup-id> --decrypt-metadata
```

Use `--decrypt-metadata` when the passphrase is available and the user wants the label, archive filename, or archive hash.

## Restore flow

Use `reclaw backup restore` for the archive recovery step. This command downloads, decrypts, and optionally verifies the backup archive locally. It does not apply the archive back into OpenClaw by itself.

Recommended sequence:

```sh
reclaw backup list --json
reclaw backup show <backup-id> --decrypt-metadata
reclaw backup restore <backup-id> --verify --output /safe/path/archive.tar.gz
```

Operational rules:

- Pick a fresh output path. `reclaw backup restore` refuses to overwrite an existing file.
- Use `--verify` when `openclaw` is available so the archive is checked after decryption.
- Report the final output path and verification result.
- If the user wants the archive applied back into OpenClaw, find or ask for the correct OpenClaw restore or import command instead of inventing one.
- `reclaw backup download` remains available as the lower-level archive retrieval command, but prefer `restore` in user-facing instructions.

## Automatic backups

Use these commands for scheduled backup operations:

```sh
reclaw backup auto-status
reclaw backup auto-run
reclaw backup auto-disable
```

Rules:

- `auto-status` is the default health check.
- `auto-run` is safe for a manual trigger.
- Only use `auto-disable` when the user explicitly asks to stop scheduling.

## Destructive actions

Deleting backups is destructive. Only do it on an explicit user request or a prompt that clearly instructs it.

```sh
reclaw backup delete <backup-id> --yes
```

## Reporting

Prefer concise operator-style summaries. Include:

- what you installed or changed
- scheduler health
- backup ids or output paths that matter
- whether archive verification succeeded

Do not include secrets in the report.