Hookaido Webhook Integration
v2.2.4Webhook infrastructure for receiving, queuing, and delivering webhooks. Operate Hookaido webhook ingress, durable webhook queue (SQLite/Postgres), webhook de...
⭐ 1· 911·1 current·1 all-time
bySebastian Gieseler@7schmiede
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (webhook ingress, durable queue, delivery, HMAC verification, pull API) line up with the declared requirements: a hookaido binary and two secrets (HOOKAIDO_PULL_TOKEN, HOOKAIDO_INGRESS_SECRET). There are no unrelated credentials or surprising binaries requested.
Instruction Scope
SKILL.md focuses on Hookaidofile editing, config validation, runtime commands, and admin/pull APIs — all within scope. It also documents 'deliver exec' (subprocess delivery) and shows how to run local scripts that receive webhook payloads on stdin; this is an expected Hookaido feature but is operationally powerful (it runs arbitrary local executables with webhook data). Users should audit delivery scripts and execution surfaces before enabling exec delivery.
Install Mechanism
Installers are either 'go install' or direct GitHub release downloads pinned to v2.2.2. The included fallback script verifies SHA256 checksums before extraction; downloads come from GitHub releases (a well-known host). Archives are extracted to user-local directories (~/.local/bin or ~/.openclaw/tools) which is typical.
Credentials
Declared required env vars (HOOKAIDO_PULL_TOKEN primary, HOOKAIDO_INGRESS_SECRET) are appropriate for pull API auth and ingress HMAC verification. The docs reference other optional envs (HOOKAIDO_POSTGRES_DSN, provider secrets like GITHUB_WEBHOOK_SECRET, installer overrides such as HOOKAIDO_VERSION/HOOKAIDO_SHA256) but these are optional and sensible for the described workflows.
Persistence & Privilege
Skill is not always-enabled and does not request system-wide changes. Install actions place a user-local binary; the skill does not modify other skills or require elevated privileges. The skill allows autonomous invocation (default) which is normal for skills; no other high-privilege flags are present.
Assessment
This skill appears internally consistent with its stated purpose. The install paths and downloads are pinned to GitHub releases and the fallback installer verifies SHA256 checksums — good practices. Before installing, consider: 1) Run Hookaido inside a sandbox/container if possible; the skill documents 'deliver exec' which executes local programs with webhook payloads — audit any scripts (e.g., /opt/hooks/deploy.sh) and avoid delivering untrusted payloads to exec handlers. 2) Provide only the secrets needed (HOOKAIDO_PULL_TOKEN, HOOKAIDO_INGRESS_SECRET) and rotate them per policy; review any optional envs (database DSNs, provider secrets) before populating them. 3) The fallback installer writes to your home directory (~/.local/bin or ~/.openclaw/tools) and uses curl; if you prefer, use the 'go install' path or a pinned sandbox image. 4) Because the agent can invoke the skill autonomously by default, restrict agent permissions and review audit logging if you enable production runtimes. If you want more assurance, inspect the downloaded Hookaido binary release or run it in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97ek2xdm803qrqhsh0xn9ab1n84wezt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🪝 Clawdis
Binshookaido
EnvHOOKAIDO_PULL_TOKEN, HOOKAIDO_INGRESS_SECRET
Primary envHOOKAIDO_PULL_TOKEN
Install
Go
Bins: hookaido