← 返回 Skills 市场
hynek-urban

Latchkey

作者 Hynek Urban · GitHub ↗ · v2.3.0+5
cross-platform ⚠ suspicious
370
总下载
0
收藏
0
当前安装
6
版本数
在 OpenClaw 中安装
/install latchkey
功能描述
Interact with arbitrary third-party or self-hosted services (AWS, Slack, Google Drive, Dropbox, GitHub, GitLab, Linear, Coolify...) using their HTTP APIs.
使用说明 (SKILL.md)

Latchkey

Instructions

Latchkey is a CLI tool that automatically injects credentials into curl commands. Credentials (mostly API tokens) need to be manually managed by the user.

Use this skill when the user asks you to work with services that have HTTP APIs, like AWS, Coolify, GitLab, Google Drive, Discord or others.

Usage:

  1. Use latchkey curl instead of regular curl for supported services.
  2. Pass through all regular curl arguments - latchkey is a transparent wrapper.
  3. Check for latchkey services list to get a list of supported services. Use --viable to only show the currently configured ones.
  4. Use latchkey services info \x3Cservice_name> to get information about a specific service (auth options, credentials status, API docs links, special requirements, etc.).
  5. If necessary, ask the user to configure credentials first. Tell the user to run latchkey auth set on the machine where latchkey is installed (using the setCredentialsExample from the services info command).
  6. Look for the newest documentation of the desired public API online.
  7. Do not initiate a new login if the credentials status is valid or unknown - the user might just not have the necessary permissions for the action you're trying to do.

Examples

Make an authenticated curl request

latchkey curl [curl arguments]

Creating a Slack channel

latchkey curl -X POST 'https://slack.com/api/conversations.create' \
  -H 'Content-Type: application/json' \
  -d '{"name":"my-channel"}'

(Notice that -H 'Authorization: Bearer is not present in the invocation.)

Getting Discord user info

latchkey curl 'https://discord.com/api/v10/users/@me'

Detect expired credentials

latchkey services info discord  # Check the "credentialStatus" field - shows "invalid"

List usable services

latchkey services list --viable

Lists services that have stored credentials.

Get service-specific info

latchkey services info slack

Returns auth options, credentials status, and developer notes about the service.

Storing credentials

It is the user's responsibility to supply credentials. The user would typically do something like this:

latchkey auth set my-gitlab-instance -H "PRIVATE-TOKEN: \x3Ctoken>"

When credentials cannot be expressed as static curl arguments, the user would use the set-nocurl subcommand. For example:

latchkey auth set-nocurl aws \x3Caccess-key-id> \x3Csecret-access-key>

If a service doesn't appear with the --viable flag, it may still be supported; the user just hasn't provided the credentials yet. latchkey service info \x3Cservice_name> can be used to see how to provide credentials for a specific service.

Notes

  • All curl arguments are passed through unchanged
  • Return code, stdout and stderr are passed back from curl
  • Credentials are always stored encrypted and are never transmitted anywhere beyond the endpoints specified by the actual curl calls.

Currently supported services

Latchkey currently offers varying levels of support for the following services: AWS, Calendly, Coolify, Discord, Dropbox, Figma, GitHub, GitLab, Gmail, Google Analytics, Google Calendar, Google Docs, Google Drive, Google Sheets, Linear, Mailchimp, Notion, Sentry, Slack, Stripe, Telegram, Umami, Yelp, Zoom, and more.

User-registered services

Note for humans: users can also add limited support for new services at runtime using the latchkey services register command.

安全使用建议
This skill appears to be what it says: a wrapper around an npm 'latchkey' CLI that injects stored credentials into curl requests. Before installing or allowing the agent to use it: 1) Verify the npm package author, version, and checksum (review the package source code if possible). 2) Confirm where and how latchkey stores and encrypts credentials on disk; prefer local, encrypted storage and understand the backup/export behavior. 3) Limit autonomous use: require user confirmation before the agent issues curl requests that could modify resources (create/delete). 4) Avoid configuring broad or high-privilege API tokens in latchkey without restricting their scope. 5) If concerned, test the CLI in a sandboxed environment or container first. These steps reduce supply-chain and credential-exfiltration risk.
功能分析
Type: OpenClaw Skill Name: latchkey Version: 2.3.0+5 The 'latchkey' skill acts as a wrapper for a CLI tool designed to manage and inject sensitive API credentials (e.g., AWS, Slack, GitHub) into curl commands. While the instructions in SKILL.md are transparent and the behavior is aligned with the stated purpose, the skill involves high-risk capabilities including handling authentication tokens and executing network requests via an external npm package dependency. Per the analysis criteria, tools providing shell and network access for credential management are classified as suspicious due to the inherent risk of the functionality, even in the absence of explicit malicious intent.
能力评估
Purpose & Capability
The name/description (a generic HTTP-API helper) matches the declared requirement (a latchkey binary) and the install spec (npm latchkey). No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to use 'latchkey curl' as a transparent wrapper and to pass all curl args through. That is appropriate for the stated purpose, but it means the agent can cause arbitrary authenticated HTTP requests with whatever credentials the user has configured—so the agent should not be allowed to construct or run curl invocations without user review when sensitive actions are possible.
Install Mechanism
Install uses the public npm package 'latchkey' which is a reasonable distribution channel for a Node CLI. Npm packages carry supply-chain risk (malicious or vulnerable code); nothing in the manifest points to a forged/obscure download, but you should verify package provenance/version/signature before installation.
Credentials
No environment variables or primary credentials are requested by the skill itself, which is proportionate. The tool manages API tokens locally per the instructions; that behavior is expected, though the SKILL.md's claim that credentials 'are never transmitted anywhere beyond the endpoints specified by the actual curl calls' is a trust assertion you cannot verify from the manifest alone.
Persistence & Privilege
always is false and the skill doesn't request persistent platform privileges or modify other skills. The agent may invoke the skill autonomously (default), which is normal; consider policy controls if you don't want autonomous HTTP actions.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install latchkey
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /latchkey 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.0+5
- Changed install instructions metadata from npm to node in compatibility requirements.
v2.3.0+4
- Updated the description to include "AWS" and "Google Drive" in the list of example services. - No functional or instruction changes; only the service examples in the description were broadened.
v2.3.0+3
Try to fix the openclaw metadata.
v2.3.0+2
Another try at an openclaw-friendly formulation of the skill.
v2.3.0+1
Initial openclaw-compatible version.
v2.3.0
Latchkey 2.3.0 Initial OpenClaw-compatible version.
元数据
Slug latchkey
版本 2.3.0+5
许可证
累计安装 0
当前安装数 0
历史版本数 6
常见问题

Latchkey 是什么?

Interact with arbitrary third-party or self-hosted services (AWS, Slack, Google Drive, Dropbox, GitHub, GitLab, Linear, Coolify...) using their HTTP APIs. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 370 次。

如何安装 Latchkey?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install latchkey」即可一键安装,无需额外配置。

Latchkey 是免费的吗?

是的,Latchkey 完全免费(开源免费),可自由下载、安装和使用。

Latchkey 支持哪些平台?

Latchkey 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Latchkey?

由 Hynek Urban(@hynek-urban)开发并维护,当前版本 v2.3.0+5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论