← Back to Skills Marketplace
launchthatbot

Connector

by launchthatbot · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
388
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install connector
Description
Deprecated legacy connector skill. Use @launchthatbot/connect-openclaw-plugin for all new LaunchThatBot OpenClaw connect flows with configurable permissions.
README (SKILL.md)

LaunchThat OpenClaw Connector

Deprecated: this skill is being phased out. Use @launchthatbot/connect-openclaw-plugin instead.

When to use this skill

Use this skill when you need to:

  • connect an existing OpenClaw VPS to LaunchThatBot,
  • configure secure ingest token + request signing,
  • validate heartbeat/ingest/replay behavior,
  • troubleshoot connection, auth, or payload issues.

Do not use this skill for:

  • deploying OpenClaw infrastructure,
  • managing unrelated bot runtime logic,
  • reading local secrets outside explicitly provided token/secret inputs.

Security boundaries

  • Outbound-only network calls to LaunchThatBot API endpoints.
  • No shell execution from connector runtime.
  • No arbitrary filesystem reads (only explicit token/secret files and optional queue file).
  • Canonical event schema only (agent_status_changed, agent_moved_room, task_started, task_completed, room_updated).
  • Optional HMAC request signing with timestamp skew checks.

Source-of-truth policy

  • Connector implementation changes must be made in this monorepo package: packages/launchthat-openclaw-connector.
  • The mirrored launchthatbot/connect repo is a distribution mirror, not a primary authoring surface.
  • Use the sync workflow/runbook to propagate updates and avoid multi-writer divergence.

Quick setup workflow

  1. Create auth link:
lt-openclaw-connect auth-link \
  --base-url=https://app.launchthatbot.com \
  --workspace-id=default \
  --instance-name=my-openclaw

  1. Open returned authUrl, capture:

    • instanceId
    • ingestToken

  2. Export secrets:

export LAUNCHTHAT_INGEST_TOKEN="\x3Ctoken>"
export LAUNCHTHAT_SIGNING_SECRET="\x3Cshared-signing-secret>"
  1. Run connector:
lt-openclaw-connect run \
  --base-url=https://app.launchthatbot.com \
  --workspace-id=default \
  --instance-id=\x3CinstanceId>

Operational checks

  • Heartbeat endpoint returns 200.
  • Ingest endpoint returns ok: true.
  • Replay endpoint returns recent events.
  • LaunchThatBot dashboard reflects active connected instance.

Common troubleshooting

  • 401 Invalid token: refresh callback and rotate ingest token.
  • 401 Invalid request signature: verify OPENCLAW_SIGNING_SECRET and clock skew.
  • 429 Rate limit exceeded: reduce burst size/retry cadence.
  • No UI updates: verify replay endpoint contains events for current instance/workspace.

Additional resources

Usage Guidance
This connector appears to do what it says: send canonical events and heartbeats to a LaunchThatBot base URL, optionally sign requests, and persist a local queue. Before installing, verify the package origin (source repo/homepage is missing here), prefer the newer recommended plugin (@launchthatbot/connect-openclaw-plugin), and confirm the ingest token and signing secret handling meets your policies. Note the metadata omission: the runtime requires an ingest token (LAUNCHTHAT_INGEST_TOKEN by default) even though the registry entry lists no required env vars. Also check and agree with the default queue path (~/.config/launchthat-openclaw/queue.json) or set --persist-queue=false if you don't want local persistence. If you need higher assurance, review the published npm package contents and signature (or verify the package from the official LaunchThatBot repo) before deploying in production.
Capability Analysis
Type: OpenClaw Skill Name: connector Version: 0.1.0 The skill is classified as suspicious due to a significant vulnerability in `src/cli.ts`. The `resolveSecret` function, which handles secret input, allows reading an arbitrary file path specified via command-line arguments (`--ingest-token-file`, `--signing-secret-file`). This contradicts the security claims in `SKILL.md`, `CLAWHUB_LISTING_TEMPLATE.md`, and `SECURITY.md` that state 'No arbitrary filesystem reads' and 'local files outside explicitly provided token/secret files'. An attacker controlling the arguments could exploit this to read sensitive files from the system, leading to information disclosure, even though the code's intent is to use the file content as a legitimate token for its stated purpose.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md, README, and the TypeScript implementation align: the package creates an auth link, posts heartbeats and event batches to LaunchThatBot, supports optional HMAC signing, and persists a local queue. However, the registry metadata declares no required environment variables while the runtime expects an ingest token (LAUNCHTHAT_INGEST_TOKEN by default or via file/prompt) and optionally a signing secret. That metadata omission is an inconsistency but not a functional mismatch.
Instruction Scope
SKILL.md promises outbound-only network calls, no shell execution, and no arbitrary filesystem reads. The code respects those boundaries: it only performs HTTPS POSTs to baseUrl-derived endpoints, does not spawn subprocesses, and only reads/writes the configured queue file and explicit secret file(s) or env vars. Minor docs inconsistency: one doc line references OPENCLAW_SIGNING_SECRET while examples and the CLI default use LAUNCHTHAT_SIGNING_SECRET.
Install Mechanism
There is no install spec (instruction-only) so nothing will be downloaded or written by an installer. Source files are present in the skill bundle, but the package relies on a normal TypeScript build (tsc) when published. No remote/external download URLs or archive extraction are present.
Credentials
The skill legitimately needs an ingest token and (optionally) a signing secret to operate and writes a local queue file in ~/.config/launchthat-openclaw/queue.json by default. Those are proportionate to the connector's purpose. The inconsistency is that required env vars were not declared in registry metadata; otherwise no unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent platform-wide presence (always:false). It persists a local queue file under the user's home config directory with restrictive modes and does not modify other skills or global agent config. Autonomous invocation (model invocation allowed) is the default platform behavior and is not a standalone concern here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install connector
  3. After installation, invoke the skill by name or use /connector
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Initial release of the deprecated legacy connector skill for OpenClaw. - Directs users to use @launchthatbot/connect-openclaw-plugin for all new connections. - Supports connecting existing OpenClaw VPS to LaunchThatBot with secure token and request signing. - Provides strict security boundaries: outbound-only network calls, no shell execution, no arbitrary filesystem reads. - Documents operational checks, troubleshooting steps, and quick setup workflow. - Clarifies source-of-truth policy for maintenance and updates.
Metadata
Slug connector
Version 0.1.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Connector?

Deprecated legacy connector skill. Use @launchthatbot/connect-openclaw-plugin for all new LaunchThatBot OpenClaw connect flows with configurable permissions. It is an AI Agent Skill for Claude Code / OpenClaw, with 388 downloads so far.

How do I install Connector?

Run "/install connector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Connector free?

Yes, Connector is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Connector support?

Connector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Connector?

It is built and maintained by launchthatbot (@launchthatbot); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments