Pluginv0.1.45

ClawScan security

Install Hirey Hi on OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 7:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a plausible OpenClaw installer for Hirey Hi, but the metadata and declared requirements are inconsistent with the runtime instructions and included installer script — review and sandbox before running.
Guidance: This bundle contains a Node installer script that will run on the host, call the OpenClaw CLI, and install npm packages into ~/.openclaw/vendor/hi; it will generate and write hook bearer tokens and update OpenClaw config/state. Before installing: (1) confirm you trust the Hirey project and the ClawHub package 'hirey-openclaw-hi-install' at the source you expect; (2) inspect the included script (openclaw-host-installer.mjs) to verify no unexpected network endpoints or arbitrary exec calls beyond openclaw/npm/node; (3) ensure Node and the openclaw CLI are available, and back up your OpenClaw config (e.g., ~/.openclaw/openclaw.json); (4) consider running the installer in a sandboxed/test host first to observe behavior and network activity (npm downloads, calls to hi.hireyapp.us); and (5) note the registry metadata does not declare required binaries/config paths — treat that omission as a red flag and request the publisher correct the metadata if you intend to trust this for production hosts.

Review Dimensions

Purpose & Capability: concernThe skill claims to be an install/repair bundle for Hirey Hi and includes a bundled Node installer script that will call the OpenClaw CLI and install npm packages. However the registry metadata declares no required binaries or config paths even though the instructions and script clearly rely on 'openclaw', Node (to run the .mjs), and npm (to install @hirey/* packages). That mismatch between what is declared and what the skill actually requires is an incoherence worth flagging.
Instruction Scope: noteThe SKILL.md provides detailed, targeted instructions: run the canonical 'openclaw plugins install clawhub:hirey-openclaw-hi-install' and then run the bundled './scripts/openclaw-host-installer.mjs'. The instructions explicitly operate on OpenClaw host config (openclaw config set / openclaw mcp set), generate and write hook tokens, and read session keys from 'openclaw status --json' for phase-2 registration. Those actions are within scope for an installer, but they do involve reading session data and writing host configuration and generated tokens — so an operator should expect the skill to access and persist local host state.
Install Mechanism: noteThere is no formal install spec in the metadata (instruction-only), but the bundle includes an executable Node script that will install pinned npm packages (@hirey/hi-mcp-server and @hirey/hi-agent-receiver) into a user-writable vendor dir under the user's home (~/.openclaw/vendor/hi). Using npm is a common choice for this functionality; this is moderate-risk because it will download and write code to disk and run binaries from that vendor dir. The installer does not appear to fetch code from arbitrary personal servers, but it does rely on external package distribution (npm) and network access.
Credentials: concernThe skill declares no required environment variables or primary credentials, yet the installer generates and stores bearer tokens for OpenClaw hooks and will read sensitive local session keys via 'openclaw status --json' and write persistent host config under ~/.openclaw*. That behavior is functionally justified for a host installer, but the lack of declared required binaries/config paths in the metadata hides these needs and increases the chance a user will run it unknowingly. No external service credentials are requested, and the default target platform URL is the public hi.hireyapp.us service defined by the skill.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable only. It will persist install artifacts and configuration in the user's home (~/.openclaw, vendor, hi state dir) and set OpenClaw MCP/config entries — this is normal for an installer and appropriate for the stated purpose. Autonomous invocation is allowed by default but is not combined with other high-privilege flags.