@srmcguirt/openclaw-composio
OpenClaw plugin exposing Composio's tool catalog (Gmail, Slack, GitHub, Notion, Linear, ~800+ toolkits) as callable agent tools.
Install
openclaw plugins install @srmcguirt/openclaw-composioConfigure
1. Get a Composio API key at https://platform.composio.dev 2. For each toolkit you want to use, create an auth config in the Composio dashboard and capture its id (ac_...) 3. Set the API key and config:
export COMPOSIO_API_KEY=ck_xxx
openclaw config set composio.toolkits '["github","gmail"]'
openclaw config set composio.authConfigIds '{"github":"ac_111","gmail":"ac_222"}'Multi-user (shared machine)
By default, userIdStatic is empty so the plugin refuses to call any tool until you identify yourself in the current session:
/composio whoami shane
/composio connect githubThis prevents one user accidentally operating another's connected accounts on a shared OpenClaw install.
For single-user installs, set userIdStatic once and skip whoami.
⚠️ Agent impersonation risk
Because OpenClaw's plugin-sdk does not yet expose a slash-command registration API, the /composio whoami command is implemented as a tool (cmp_command) that the LLM agent can invoke on its own. On a shared machine, a rogue or mistaken agent could theoretically switch user contexts without human input.
Mitigations in place:
- First-time
whoamisets the user; subsequent switches to a DIFFERENT user requireforce: true - Force-overrides emit a
warn-level log line for audit - If the plugin-sdk later gains a real
registerCommandAPI, we'll migratewhoamioff the tool surface
Until then: prefer single-user installs, or use userIdSource: "profile"/"env" to tie identity to OpenClaw profile / env var rather than a session toggle.
Slash commands
/composio whoami <userId>— set active user for this session/composio connect <toolkit>— start OAuth for a toolkit/composio list— list connected accounts for current user/composio disconnect <connectedAccountId>— revoke a connection/composio refresh— re-fetch tool catalog from Composio (new tools require restart; removed tools disabled immediately)/composio status— show plugin state
Note: the current openclaw/plugin-sdk does not expose a slash-command registration API; these commands are invoked via the cmp_command dispatcher tool until the SDK gains registerCommand support.
Pre-publish checklist
- [ ] Install plugin into a fresh OpenClaw instance via
openclaw plugins install - [ ] Set
COMPOSIO_API_KEY, configure one toolkit (github) - [ ] Boot OpenClaw; confirm tools registered (log check + agent palette)
- [ ] Run
/composio whoami <name> - [ ] Run
/composio connect github; complete OAuth in browser - [ ] Invoke one read-only tool (e.g. ask the agent "list my GitHub repos"); verify success
- [ ] Add another toolkit in config; run
/composio refresh; verify diff output - [ ] Run
npm run test:livewith a real API key to confirm SDK boundary intact - [ ] Verify upstream pull on the openclaw fork stays clean:
cd c:/git/openclaw && git pull upstream main
Development
npm install
npm test # unit + integration (mocked SDK)
npm run test:coverage
npm run test:live # gated by COMPOSIO_LIVE_TEST=1; needs COMPOSIO_API_KEY
npm run build
npm run typecheckLicense
MIT
