OpenClaw / claw-family
Connect Loomal to OpenClaw and any AgentSkills-compatible client (picoclaw, nanoclaw, …)
Loomal ships as an AgentSkills-compatible skill, so it installs cleanly across the whole claw family. The skill teaches the agent when to use each capability; the MCP server provides the actual tools.
Compatibility
| Client | Install |
|---|---|
| OpenClaw | clawhub install loomal-skill + openclaw mcp set loomal … |
| picoclaw | AgentSkills spec — same package, same MCP register flow |
| nanoclaw | AgentSkills spec — same package, same MCP register flow |
| Other claw-family forks | If they follow AgentSkills, the same skill should work |
If you're running another claw-family client, report install results — working or not — on the skill repo.
Setup
1. Install the skill
clawhub install loomal-skillThis installs SKILL.md into your workspace's skills/ directory and registers Loomal's capabilities with the agent.
If your client doesn't ship clawhub, copy the loomal-skill/ folder into its skills directory manually.
2. Register the Loomal MCP server
The skill provides instructions; the MCP server exposes the tools. Register it once per machine:
openclaw mcp set loomal '{"command":"npx","args":["-y","@loomal/mcp"],"env":{"LOOMAL_API_KEY":"loid-your-api-key"}}'Get your loid-... key from console.loomal.ai. The scopes on the key determine which tools appear.
Non-OpenClaw forks may use a different MCP register command (e.g., picoclaw mcp add …). The JSON payload stays identical; consult your client's docs for the exact invocation.
Verify
Ask your agent:
Who am I?
It should call identity_whoami and return your agent's email (agent-xxx@mailgent.dev), DID, and the scopes attached to your key.
Available tools
| Category | Tools |
|---|---|
| Identity | identity_whoami, identity_sign, identity_verify |
mail_send, mail_reply, mail_list_messages, mail_get_message, mail_get_attachment, mail_list_threads, mail_get_thread, mail_update_labels, mail_update_thread_labels, mail_delete_message, mail_delete_thread | |
| Vault | vault_list, vault_get, vault_store, vault_delete, vault_totp, vault_totp_use_backup |
| Calendar | calendar_create, calendar_update, calendar_list, calendar_get, calendar_delete, calendar_set_public |
| Payments | payments_challenge, payments_redeem, payments_list, sellers_endpoints_* |
Tools only appear if your identity has the required scopes. The trust boundary is enforced server-side: a compromised agent can never exceed the scopes on its key.
Usage examples
End-to-end flow — signup, 2FA enrollment, and a paid API call:
> Sign me up for serviceX.com using my agent email,
store the login + 2FA in the vault, and call their
paid /search API for $0.05.
[agent uses identity_whoami to get agent-xxx@mailgent.dev]
[agent fills signup form with that email + a generated password]
[agent polls mail_list_messages until the welcome email arrives]
[agent reads the verification link with mail_get_message and follows it]
[agent stores the credential with vault_store: type=LOGIN + TOTP attached]
[agent fetches the live 2FA code with vault_totp]
[agent receives 402, builds X-Payment header, calls payments_redeem]Other common requests:
> Check my inbox for unread emails
> Reply to the latest email from Sarah
> Store my Stripe API key in the vault
> Get my AWS 2FA code
> Schedule a meeting with the team for Tuesday at 2pm
> Make my calendar publicMultiple inboxes
Register one MCP server per identity:
openclaw mcp set loomal-sales '{"command":"npx","args":["-y","@loomal/mcp"],"env":{"LOOMAL_API_KEY":"loid-sales-key"}}'
openclaw mcp set loomal-support '{"command":"npx","args":["-y","@loomal/mcp"],"env":{"LOOMAL_API_KEY":"loid-support-key"}}'Tools are namespaced per server (e.g., loomal-sales:mail_send vs loomal-support:mail_send).
Platform mode
Use a platform key (lopk-) to manage all identities in your org from a single MCP registration:
openclaw mcp set loomal-platform '{"command":"npx","args":["-y","@loomal/mcp"],"env":{"LOOMAL_API_KEY":"lopk-your-platform-key"}}'This exposes identities_list, identities_create, identities_delete, identities_rotate_key, and identities_update_scopes instead of the per-identity capability tools.
Security note
OpenClaw — like any agent with broad local system access — has shipped high-severity CVEs. Loomal's defense in depth is scope-gated API keys: a compromised agent is bounded by the scopes on its loid-... key. Scope keys per task rather than org-wide, revoke immediately on suspected compromise, and prefer the narrowest scope set (e.g., mail:read when send isn't needed).
Remove
openclaw mcp remove loomal
clawhub uninstall loomal