Infomaniak tools for OpenClaw

Potassium for OpenClaw

Install one native plugin to give OpenClaw safe, reviewed access to kDrive, Mail, kChat, URL shortener, and Infomaniak discovery workflows.

openclaw plugins install clawhub:@opencow42/potassium-openclaw

What it helps with

Practical Infomaniak work, inside OpenClaw

Potassium wraps the published liquid-potassium SDK with OpenClaw tools, agent skills, and safety defaults that keep credentials out of prompts and mutating actions blocked until you allow them.

kDrive

Find, create, and upload files

Resolve drives and folders, create directories or starter files, upload local files, and verify results.

Mail

Review mail and manage drafts

List mailboxes, inspect unread threads, move messages, and prepare draft responses through reviewed workflows.

kChat

Post and reply in channels

Send text or media, reply in threads, receive inbound events, and keep conversation context intact.

Links

Create chk.me short links

Check quota, list short links, create new links, and adjust expiration dates when mutations are enabled.

Discovery

Use the right Infomaniak action

Search operation metadata, describe API capabilities, and discover reviewed workflow coverage before acting.

Policy

Default to controlled access

Apply domain allowlists, operation allowlists or denylists, and mutation blocking before SDK calls run.

Install in 4 steps

Start with ClawHub, keep your token in the environment

The plugin reads INFOMANIAK_TOKEN from the OpenClaw process environment by default. For credential storage, prefer OpenClaw's built-in SecretRef workflow and audit command instead of memory notes or plaintext config.

1

Install and enable Potassium

ClawHub install
openclaw plugins install clawhub:@opencow42/potassium-openclaw
openclaw plugins enable potassium
2

Handle the token with OpenClaw Secrets

Use OpenClaw's secrets helper for supported credentials and verify that no plaintext secret residue remains. Potassium still points at the env var name, so keep the secret value in a trusted Gateway source such as the Gateway process environment or the global OpenClaw runtime env file.

Built-in secrets workflow
openclaw secrets configure
openclaw secrets audit --check
openclaw secrets reload

Natural-language setup prompt

If you are asking OpenClaw to help with setup, use a prompt that routes the secret through the native secrets feature:

Prompt for OpenClaw
Use OpenClaw's native secrets feature to configure my Infomaniak token for Potassium. Do not store the token in memory, chat history, plugin config, docs, logs, or committed files. Use SecretRefs or the Gateway environment as appropriate, keep Potassium configured with tokenEnvName: "INFOMANIAK_TOKEN", run openclaw secrets audit --check, then reload secrets or restart the Gateway. If you need the token value, ask me to enter it only through the OpenClaw secrets flow or a trusted local shell, not in chat.

Potassium token rule

Potassium does not need the token pasted into plugin config. Set the token where the OpenClaw Gateway can read it, then leave only the variable name in Potassium config.

Gateway environment
export INFOMANIAK_TOKEN="<your-infomaniak-token>"

See OpenClaw's Secrets management and secrets CLI docs for SecretRefs, providers, audits, and reloads.

3

Keep writes blocked by default

OpenClaw config
openclaw config patch --stdin <<'JSON5'
{
  plugins: {
    entries: {
      potassium: {
        enabled: true,
        config: {
          tokenEnvName: "INFOMANIAK_TOKEN",
          blockMutating: true
        }
      }
    }
  }
}
JSON5
4

Restart and verify the runtime

Gateway check
openclaw gateway restart
openclaw plugins inspect potassium --runtime --json

Example workflows

Ask for outcomes, not API plumbing

kDrive

“Create a project folder in kDrive, upload these local handoff files, and summarize what was created.”

Mail

“Review unread support threads, draft short replies for the urgent ones, and leave all writes blocked.”

kChat

“Post the deployment summary to the release channel and keep replies threaded in kChat.”

Short links

“Create a chk.me link for this release note and set an expiration date after the campaign.”

Safety defaults

Built to avoid accidental writes

  • Bearer tokens are read from environment variables only.
  • Use OpenClaw SecretRefs and openclaw secrets audit --check for supported credentials.
  • Mutating operations are blocked by default with `blockMutating: true`.
  • Reviewed workflows are preferred before lower-level raw calls.
  • Domain and operation policies run before SDK calls are made.