Trust

Security Overview

ClawLink connects your apps to OpenClaw and Hermes through hosted OAuth, so you never register your own OAuth apps or paste provider secrets into chat. This page explains how a connection works, how we store credentials, and where the boundaries are.

How a connection works

  1. You approve access with the provider

    You sign in and grant access on the provider's own screen. The hosted OAuth flow is run by Composio, our credential infrastructure partner.

  2. We store a reference, not your tokens

    For hosted connections, ClawLink keeps only a pointer to your connected account. Your provider OAuth tokens stay with Composio.

  3. Your agent runs a tool you triggered

    When you ask your agent to do something, ClawLink runs that one request against the provider for you. Nothing happens unless you trigger it.

  4. You stay in control

    Disconnect any connection from your dashboard at any time, and revoke access with the provider directly whenever you want.

How we store credentials

Most integrations connect through our hosted Composio flow, where ClawLink keeps only a reference to your connected account, not your provider tokens. When an integration needs a credential we hold directly, such as an API key you enter during setup, we encrypt it with AES-256-GCM before it is written to our database and decrypt it only in memory when your request runs. Encryption keys can be rotated without downtime.

Open source you can check

You don't have to take our word for any of this. ClawLink's code is public on GitHub, including how we encrypt and handle credentials, so you or your security team can read exactly what happens to your data.

Operational access and data

We request the least provider scope a feature needs and keep the integration data we retain to a minimum. We do not store the contents of your provider API responses. We do keep operational records, such as which tool ran, when, and whether it succeeded, to keep the service reliable and help you debug a failed connection.

Disconnecting integrations

You can disconnect any connection from your ClawLink dashboard at any time. For higher-assurance removal, revoke ClawLink's access from the provider's account directly, and contact us for deletion requests.

What we rely on

ClawLink runs on infrastructure we do not operate ourselves. Hosted OAuth and provider token storage are handled by Composio, which publishes its compliance at its trust center, and the service runs on Cloudflare. To make a request we decrypt your credential in memory at execution time, so encryption at rest does not mean ClawLink never handles the secret. We would rather be precise about these boundaries than imply more isolation than there is.

Reporting Security Issues

Security reports can be sent to security@claw-link.dev. Please include reproduction steps, affected endpoints, and any relevant account or request context.

Back to ClawLink