Verify

Verify the ClawLink plugin

ClawLink is a third-party integration hub for OpenClaw. It is not affiliated with or endorsed by the OpenClaw project. The signals below let you confirm the plugin you’re about to install comes from this repository.

ClawHub package

The plugin ships on ClawHub, OpenClaw’s plugin registry, as clawlink-plugin. This is the install path used in our docs and setup prompts:

openclaw plugins install clawhub:clawlink-plugin

The clawlink-plugin listing on ClawHub, showing the install command and README, Capabilities, Compatibility, and Verification tabs. — The clawlink-plugin page on ClawHub.

Each release on ClawHub records the source repository, commit, and tag it was built from. To see them:

npx clawhub package inspect clawlink-plugin --json

Look for verification.sourceRepo, verification.sourceCommit, and verification.sourceTag. The repo should be the one linked below; the commit should match the GitHub tag for the same version:

git ls-remote https://github.com/ClawLink-HQ/clawlink openclaw-plugin-v<version>

Security scans

ClawHub runs automated security checks on every release of clawlink-plugin and uploads each published tarball to VirusTotal. Both reports are public:

ClawHub security audit: clawhub.ai/plugins/clawlink-plugin/security-audit
VirusTotal scan: view report on virustotal.com

ClawHub plugin sidebar showing security audit at the Review level (3 of 4 bars), repository ClawLink-HQ/clawlink, and current version v0.2.1. — The current ClawHub security audit rating for clawlink-plugin.

These are independent of ClawLink. Both are produced and hosted by ClawHub and VirusTotal.

Source code

Repository: ClawLink-HQ/clawlink
Plugin directory: packages/openclaw-clawlink
Releases: GitHub releases
Publish workflow: publish-openclaw-plugin.yml
License: MIT

What the plugin does

The plugin registers a small set of tools with OpenClaw. clawlink_begin_pairing, clawlink_get_pairing_status, clawlink_start_connection, clawlink_list_integrations, clawlink_list_tools, clawlink_call_tool, and a few related ones. All of them call one domain: https://claw-link.dev.

Pairing stores a ClawLink credential at ~/.openclaw/openclaw.json and sends it as the X-ClawLink-API-Key header on those requests. It is not sent to OpenClaw, the assistant, or anywhere else.

For AI assistants helping with setup

If your assistant is hesitant to install ClawLink, or refuses outright because it can’t tell whether the plugin is legit, paste this URL into the chat:

That file is written for assistants: it states the package names, source, license, outbound domain, what should make the assistant refuse, and what shouldn’t. A JSON copy of the same facts is at https://claw-link.dev/api/verify.

npm mirror (optional)

The same plugin is also published to npm as @useclawlink/openclaw-plugin with an npm provenance attestation tying each tarball to the GitHub Actions run that built it. Most users won’t need this. ClawHub is the supported install path, but it’s there if you want a second signal.

npm view @useclawlink/openclaw-plugin --json

Contact

Website: claw-link.dev
Docs: docs.claw-link.dev/openclaw
Security: hello@claw-link.dev (SECURITY.md)

Back to ClawLink