← Back to Skills Marketplace
hynek-urban

Latchkey

by Hynek Urban · GitHub ↗ · v2.3.0+5
cross-platform ⚠ suspicious
370
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install latchkey
Description
Interact with arbitrary third-party or self-hosted services (AWS, Slack, Google Drive, Dropbox, GitHub, GitLab, Linear, Coolify...) using their HTTP APIs.
README (SKILL.md)

Latchkey

Instructions

Latchkey is a CLI tool that automatically injects credentials into curl commands. Credentials (mostly API tokens) need to be manually managed by the user.

Use this skill when the user asks you to work with services that have HTTP APIs, like AWS, Coolify, GitLab, Google Drive, Discord or others.

Usage:

  1. Use latchkey curl instead of regular curl for supported services.
  2. Pass through all regular curl arguments - latchkey is a transparent wrapper.
  3. Check for latchkey services list to get a list of supported services. Use --viable to only show the currently configured ones.
  4. Use latchkey services info \x3Cservice_name> to get information about a specific service (auth options, credentials status, API docs links, special requirements, etc.).
  5. If necessary, ask the user to configure credentials first. Tell the user to run latchkey auth set on the machine where latchkey is installed (using the setCredentialsExample from the services info command).
  6. Look for the newest documentation of the desired public API online.
  7. Do not initiate a new login if the credentials status is valid or unknown - the user might just not have the necessary permissions for the action you're trying to do.

Examples

Make an authenticated curl request

latchkey curl [curl arguments]

Creating a Slack channel

latchkey curl -X POST 'https://slack.com/api/conversations.create' \
  -H 'Content-Type: application/json' \
  -d '{"name":"my-channel"}'

(Notice that -H 'Authorization: Bearer is not present in the invocation.)

Getting Discord user info

latchkey curl 'https://discord.com/api/v10/users/@me'

Detect expired credentials

latchkey services info discord  # Check the "credentialStatus" field - shows "invalid"

List usable services

latchkey services list --viable

Lists services that have stored credentials.

Get service-specific info

latchkey services info slack

Returns auth options, credentials status, and developer notes about the service.

Storing credentials

It is the user's responsibility to supply credentials. The user would typically do something like this:

latchkey auth set my-gitlab-instance -H "PRIVATE-TOKEN: \x3Ctoken>"

When credentials cannot be expressed as static curl arguments, the user would use the set-nocurl subcommand. For example:

latchkey auth set-nocurl aws \x3Caccess-key-id> \x3Csecret-access-key>

If a service doesn't appear with the --viable flag, it may still be supported; the user just hasn't provided the credentials yet. latchkey service info \x3Cservice_name> can be used to see how to provide credentials for a specific service.

Notes

  • All curl arguments are passed through unchanged
  • Return code, stdout and stderr are passed back from curl
  • Credentials are always stored encrypted and are never transmitted anywhere beyond the endpoints specified by the actual curl calls.

Currently supported services

Latchkey currently offers varying levels of support for the following services: AWS, Calendly, Coolify, Discord, Dropbox, Figma, GitHub, GitLab, Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets, Linear, Mailchimp, Notion, Sentry, Slack, Stripe, Telegram, Umami, Yelp, Zoom, and more.

User-registered services

Note for humans: users can also add limited support for new services at runtime using the latchkey services register command.

Usage Guidance
This skill appears to be what it says: a wrapper around an npm 'latchkey' CLI that injects stored credentials into curl requests. Before installing or allowing the agent to use it: 1) Verify the npm package author, version, and checksum (review the package source code if possible). 2) Confirm where and how latchkey stores and encrypts credentials on disk; prefer local, encrypted storage and understand the backup/export behavior. 3) Limit autonomous use: require user confirmation before the agent issues curl requests that could modify resources (create/delete). 4) Avoid configuring broad or high-privilege API tokens in latchkey without restricting their scope. 5) If concerned, test the CLI in a sandboxed environment or container first. These steps reduce supply-chain and credential-exfiltration risk.
Capability Analysis
Type: OpenClaw Skill Name: latchkey Version: 2.3.0+5 The 'latchkey' skill acts as a wrapper for a CLI tool designed to manage and inject sensitive API credentials (e.g., AWS, Slack, GitHub) into curl commands. While the instructions in SKILL.md are transparent and the behavior is aligned with the stated purpose, the skill involves high-risk capabilities including handling authentication tokens and executing network requests via an external npm package dependency. Per the analysis criteria, tools providing shell and network access for credential management are classified as suspicious due to the inherent risk of the functionality, even in the absence of explicit malicious intent.
Capability Assessment
Purpose & Capability
The name/description (a generic HTTP-API helper) matches the declared requirement (a latchkey binary) and the install spec (npm latchkey). No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to use 'latchkey curl' as a transparent wrapper and to pass all curl args through. That is appropriate for the stated purpose, but it means the agent can cause arbitrary authenticated HTTP requests with whatever credentials the user has configured—so the agent should not be allowed to construct or run curl invocations without user review when sensitive actions are possible.
Install Mechanism
Install uses the public npm package 'latchkey' which is a reasonable distribution channel for a Node CLI. Npm packages carry supply-chain risk (malicious or vulnerable code); nothing in the manifest points to a forged/obscure download, but you should verify package provenance/version/signature before installation.
Credentials
No environment variables or primary credentials are requested by the skill itself, which is proportionate. The tool manages API tokens locally per the instructions; that behavior is expected, though the SKILL.md's claim that credentials 'are never transmitted anywhere beyond the endpoints specified by the actual curl calls' is a trust assertion you cannot verify from the manifest alone.
Persistence & Privilege
always is false and the skill doesn't request persistent platform privileges or modify other skills. The agent may invoke the skill autonomously (default), which is normal; consider policy controls if you don't want autonomous HTTP actions.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install latchkey
  3. After installation, invoke the skill by name or use /latchkey
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.3.0+5
- Changed install instructions metadata from npm to node in compatibility requirements.
v2.3.0+4
- Updated the description to include "AWS" and "Google Drive" in the list of example services. - No functional or instruction changes; only the service examples in the description were broadened.
v2.3.0+3
Try to fix the openclaw metadata.
v2.3.0+2
Another try at an openclaw-friendly formulation of the skill.
v2.3.0+1
Initial openclaw-compatible version.
v2.3.0
Latchkey 2.3.0 Initial OpenClaw-compatible version.
Metadata
Slug latchkey
Version 2.3.0+5
License
All-time Installs 0
Active Installs 0
Total Versions 6
Frequently Asked Questions

What is Latchkey?

Interact with arbitrary third-party or self-hosted services (AWS, Slack, Google Drive, Dropbox, GitHub, GitLab, Linear, Coolify...) using their HTTP APIs. It is an AI Agent Skill for Claude Code / OpenClaw, with 370 downloads so far.

How do I install Latchkey?

Run "/install latchkey" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Latchkey free?

Yes, Latchkey is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Latchkey support?

Latchkey is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Latchkey?

It is built and maintained by Hynek Urban (@hynek-urban); the current version is v2.3.0+5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments