ClawHub
Code Pluginsource linked

ClawLinkv0.2.1

Trusted SaaS integrations for OpenClaw agents through the ClawLink plugin

clawlink-plugin·runtime clawlink-plugin·by @hith3sh
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:clawlink-plugin
Latest release: v0.2.1Download zip

Capabilities

Tags
executes-codeartifact:legacy-zip
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
clawlink-plugin

Compatibility

Built With Open Claw Version
2026.4.5
Min Gateway Version
2026.3.13
Plugin Api Range
>=2026.3.13
Plugin Sdk Version
2026.4.5
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The package purpose is coherent: it is an OpenClaw plugin for routing external app integrations through ClawLink. The artifacts clearly disclose that ClawLink is an independent SaaS and stores provider OAuth tokens and API credentials on ClawLink servers, while the local plugin stores a ClawLink device credential.
!
Instruction Scope
The bundled skill tells agents to use ClawLink for external apps broadly, including email, calendars, CRMs, inboxes, and any third-party tool, and to check ClawLink before other approaches. Combined with a generic dynamic execution tool, this is overbroad for sensitive services even though it matches the integration-broker purpose.
Install Mechanism
The install path is disclosed through ClawHub or npm, with source-linked metadata and a clean static scan. It is not a trusted @openclaw publisher package and the release metadata says artifact-only/source-linked rather than full provenance.
Credentials
Runtime network access appears limited in code to https://claw-link.dev, and local file mutation is limited to OpenClaw plugin configuration. The sensitive part is proportional to the purpose but important: connected providers' tokens and API credentials live on ClawLink servers.
Persistence & Privilege
The plugin persists a local ClawLink credential and pending pairing state in OpenClaw config, and provides logout/removal behavior. It does not show hidden background workers or unrelated persistence, but the saved credential enables future access to connected integrations.
Scan Findings in Context
[SQP-1] expected: The broad activation language is expected in part for a hosted integration hub, but the artifact explicitly covers sensitive services and open-ended external apps, so this supports Review rather than a malicious finding.
[SQP-1] expected: The instruction to check ClawLink before other approaches is purpose-aligned, but it is under-scoped because it can steer agents away from more specific or safer workflows for high-impact external actions.
What to consider before installing
Install only if you are comfortable using ClawLink as a third-party broker for your connected SaaS accounts. Connect only the apps you intend the agent to use, review ClawLink's dashboard and credential controls, use previews and explicit confirmations before writes or destructive actions, and remove the local ClawLink credential with the plugin logout command if you stop using it.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/ClawLink-HQ/clawlink
Commit
8b630a0b9cc9
Tag
main
Provenance
No
Scan status
suspicious

Tags

latest
0.2.1

ClawLink OpenClaw Plugin

Third-party OpenClaw plugin that lets OpenClaw talk to external SaaS apps through ClawLink's hosted integration layer.

Not affiliated with OpenClaw. ClawLink is an independent service. This package is published by the ClawLink team under the npm scope @useclawlink. Source: public GitHub repository. License: MIT.

What it does

ClawLink stores provider OAuth tokens and API credentials on ClawLink servers, encrypted at rest, for a growing catalog of business apps on your behalf. It then exposes a uniform set of tools so OpenClaw can read from and write to those apps without per-provider setup. Today that includes integrations like Google Docs, Google Sheets, Google Calendar, Google Drive, Twilio, and Google Search Console. Setup is browser pairing: OpenClaw opens a ClawLink approval page, you approve the device once, then return to chat and send done so the plugin can store its local ClawLink device credential safely.

Install

openclaw plugins install clawhub:clawlink-plugin

Or directly from npm:

openclaw plugins install @useclawlink/openclaw-plugin

Configure

  1. In OpenClaw, start browser pairing:
    • let the assistant call clawlink_begin_pairing
    • if your session started before the plugin was installed and the tools are not visible yet, start a fresh chat and retry pairing there
    • if a fresh chat still doesn't show the tools, contact your OpenClaw admin or ClawLink support to reload the gateway
  2. Open the returned ClawLink pairing URL in your browser and approve the device.
  3. Go back to OpenClaw and send done.
  4. Let the assistant call clawlink_get_pairing_status to finish storing the local credential.

The resulting device credential is stored locally in ~/.openclaw/openclaw.json under plugins.entries.clawlink-plugin.config.apiKey and is only sent to claw-link.dev.

Full setup walkthrough: https://docs.claw-link.dev/openclaw

Tools

The plugin registers ten tools. OpenClaw's assistant discovers available integrations dynamically — you don't need to configure individual apps here.

  • clawlink_begin_pairing — start or resume browser pairing for this OpenClaw install
  • clawlink_get_pairing_status — finish pairing after the user returns from the browser and says done
  • clawlink_start_connection — start a hosted OAuth/connect session for a new app
  • clawlink_get_connection_status — poll an in-progress connect session
  • clawlink_list_integrations — list apps already connected
  • clawlink_list_tools — list callable tools for one connected app
  • clawlink_search_tools — search connected tools by capability or keyword
  • clawlink_describe_tool — fetch schema and usage guidance for one tool
  • clawlink_preview_tool — preview a tool call before execution, especially for writes
  • clawlink_call_tool — execute a tool against a connected app

Support Commands

Normal onboarding should happen through tools and browser pairing. These commands remain as support/debug escape hatches:

  • /clawlink pair [deviceLabel] — start or resume browser pairing from the plugin fast path
  • /clawlink pair-status — check whether browser pairing has been approved yet and finish setup after browser approval
  • /clawlink status — show whether the plugin is paired
  • /clawlink logout — remove the saved credential

Security

  • ClawHub package: clawlink-plugin
  • npm package: @useclawlink/openclaw-plugin
  • ClawHub publishes are source-linked to the public GitHub repository and the latest ClawHub security scan is clean.
  • npm releases are published from GitHub Actions with npm provenance.
  • ClawHub verification includes source-linked release metadata for the published artifact.
  • The plugin only makes outbound HTTPS requests to https://claw-link.dev.
  • Browser pairing stores only a local ClawLink device credential under ~/.openclaw/openclaw.json.
  • Provider tokens and API keys are not written to OpenClaw config or shown to the assistant; they stay on ClawLink servers encrypted at rest.
  • The local device credential is sent only as the X-ClawLink-API-Key header to ClawLink.
  • Report security issues to security@claw-link.dev.