LaunchThatBot
LaunchThatBot
Docs/plugins

plugins

Connect Plugin: Why It Exists

Why the LaunchThatBot connect plugin exists, the design trade-offs behind it, and how it lets you connect external OpenClaw safely with full control.

Updated Feb 18, 2026

pluginconnectexternal-openclawsecurityplugin

Why this plugin exists

Most OpenClaw users fall into one of two groups:
  • users who deploy from LaunchThatBot and want fully managed lifecycle
  • users who already run OpenClaw on their own VPS, workstation, or custom stack
This plugin is built for the second group.
Its purpose is simple: connect your existing OpenClaw instance to LaunchThatBot without forcing migration or rehosting.
You keep your infrastructure. LaunchThatBot provides visibility, coordination, and account-linked control plane features around it.

Core goals

This plugin was intentionally designed around four goals:
  1. Easy install
    • install from npm in one command
    • no custom runtime fork required
  2. Explicit access control
    • defaults to read-only posture
    • configurable filesystem scope via fs.allowedRoots
    • high-risk capabilities behind feature flags (features.enableMutations, features.enableSqlQuery)
  3. Secure account-linked authorization
    • connect flow goes through LaunchThatBot auth host
    • user signs in or creates account
    • linking is approved in browser, then plugin completes automatically
  4. Detach-friendly architecture
    • no lock-in to managed provisioning
    • you can stop using the plugin and keep your infrastructure running independently

Why it is built this way

OpenClaw instances often run in environments where callback assumptions break:
  • remote SSH sessions
  • headless containers
  • NAT/firewall-constrained hosts
  • machines with no stable inbound route
That is why the flow is “browser authorize + plugin completes from its own outbound polling,” instead of requiring local callback servers or fragile deep-link handoffs.
It improves reliability while keeping auth and consent in LaunchThatBot account context.

User flow in practice

  1. Install plugin in OpenClaw.
  2. Run launchthatbot.connect.begin.
  3. Click returned URL.
  4. Sign in / create LaunchThatBot account.
  5. LaunchThatBot records authorization.
  6. Plugin auto-completes link and stores connection state.
No manual copy/paste pairing tokens are required in the default flow.

Access model

By default, this plugin favors safety:
  • mutation features are off
  • SQL query tool is off
  • filesystem access is limited to configured roots
Suggested rollout:
  1. connect in read-only mode
  2. set explicit root allowlist
  3. enable write features only when operationally needed

Detach when you want

This architecture is intentionally reversible.
You can disconnect the plugin flow and continue running OpenClaw independently on your infrastructure.
LaunchThatBot adds control-plane value; it does not replace your host ownership model unless you choose managed deployment paths.

Related docs