HookCatch

v1.0.1

Test webhooks and expose local services using HookCatch - a developer-friendly webhook testing tool

⭐ 0· 598·0 current·0 all-time

by@hookcatch

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match required artifacts: the skill requires the 'hookcatch' CLI and HOOKCATCH_API_KEY, which are appropriate for a webhook testing / tunneling tool. The wrapper's behavior (mapping HOOKCATCH_API_KEY → HOOKCATCH_TOKEN and forcing JSON output) is consistent with its stated goal of making the CLI AI-friendly.

✓

Instruction Scope

SKILL.md and wrapper instruct the agent to run the hookcatch CLI and to store/ use an API token. The instructions do not read unrelated system files or request other environment variables. Example code uses child_process.exec/spawn to call the CLI — expected for a CLI wrapper. It does recommend placing a token in ~/.openclaw/openclaw.json (user config) which is normal but worth noting because that file will contain the token the skill uses.

ℹ

Install Mechanism

Install spec uses npm to provide the 'hookcatch' CLI (a standard package manager). The skill includes an optional wrapper package.json (which lists hookcatch as a peerDependency) and a postinstall chmod step for the wrapper. Minor inconsistency: package.json marks hookcatch as a peerDependency rather than bundling it, but the SKILL.md/install metadata lists installing 'hookcatch' via npm — this is a documentation/packaging detail rather than a security problem. No arbitrary URL downloads or extraction from untrusted hosts were found.

✓

Credentials

Only HOOKCATCH_API_KEY (primaryEnv) is required; the wrapper also accepts HOOKCATCH_TOKEN for compatibility. No unrelated secrets or high-privilege credentials are requested. Environment usage seen in code is limited to mapping the API key/token to the CLI environment.

✓

Persistence & Privilege

The skill is not forced always-on (always:false) and does not request elevated privileges or modify other skills' configs. It only advises the user to add an API key to their OpenClaw config for convenience, which is a normal installation-time action.

Assessment

This skill is a thin, well-documented wrapper around the HookCatch CLI and appears to do what it claims. Before installing: 1) Confirm you trust the upstream 'hookcatch' CLI package (review the npm package and linked GitHub repo or docs) because the wrapper simply invokes that binary. 2) Protect your HOOKCATCH_API_KEY — do not paste it into public places. The README suggests storing it in ~/.openclaw/openclaw.json; if you do so, ensure that file's permissions and storage are appropriate. 3) Be cautious when using tunnels or replay functionality: exposing a local port publicly or replaying captured requests to arbitrary endpoints can leak sensitive data (webhook payloads often contain secrets). Use private bins, passwords, and short-lived tokens where possible, and rotate/revoke tokens if you suspect misuse. 4) The wrapper forces JSON output for some commands and maps env vars; this is benign but means any automation parsing output should expect that format. If you need higher assurance, inspect the hookcatch CLI code/repository before installing and avoid installing global packages from unknown sources.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🪝 Clawdis

Binshookcatch

EnvHOOKCATCH_API_KEY

Primary envHOOKCATCH_API_KEY

Install

Install HookCatch CLI (npm)

Bins: hookcatch

latestvk974fcxt1eg6751429mmmjzzan81aay9

598downloads

0stars

2versions

Updated 1mo ago

v1.0.1

MIT-0

HookCatch - Webhook Testing & Tunneling for OpenClaw

HookCatch is a webhook testing and localhost tunneling tool that lets you:

Create webhook bins to capture and inspect HTTP requests
Tunnel your localhost to test webhooks locally
Manage bins and view captured requests programmatically

Perfect for testing webhook integrations (Stripe, Twilio, GitHub, etc.) from your OpenClaw skills.

Quick Start

Authenticate with HookCatch:

hookcatch login
# Or use API token (recommended for automation):
hookcatch token generate
export HOOKCATCH_API_KEY="hc_live_..."

Create a webhook bin:

hookcatch bin create --name "Test Stripe Webhooks"
# Returns: https://hookcatch.dev/b/abc123xyz

View created bins:
```
hookcatch bin list
```

View captured requests:

hookcatch bin requests abc123xyz --format json

hookcatch bin requests --binId abc123xyz --format json

Available Commands

Bin Management

Create a new webhook bin:

hookcatch bin create [--name "My Bin"] [--private] [--password "secret"] [--format json]

Options:

--name: Optional bin name for organization
--private: Create private bin (PLUS+ tier required)
--password: Set password for private bin (min 4 chars)
--format: Output format (json recommended for automation)

Returns: Bin ID, webhook URL, and view URL

List your bins:

hookcatch bin list [--format json]

Shows all your bins with request counts and status.

Get requests for a bin:

hookcatch bin requests <binId> [--limit 50] [--format json|table] [--method GET] [--password "secret"]

Options:

--limit: Number of requests to fetch (default: 50)
--format: Output format - json for scripts, table for viewing
--method: Filter by HTTP method (GET, POST, etc.)
--password: Password for private bins (if required; owners can use their auth token)

Show a single request:

hookcatch request <requestId> <binId> [--format json|pretty] [--password "secret"]

Delete a bin:

hookcatch bin delete <binId> --yes

Update a bin:

hookcatch bin update <binId> --name "New Name"
hookcatch bin update <binId> --private --password "secret123"
hookcatch bin update <binId> --public

Show a single request:

hookcatch request <requestId> <binId> [--format json|pretty]

Replay a request to a new URL:

hookcatch replay <binId> <requestId> <url>
hookcatch replay --binId <binId> --requestId <requestId> --url <url>

Localhost Tunneling

Expose your localhost:

hookcatch tunnel 3000
# Creates: https://hookcatch.dev/tunnel/xyz789

List active tunnels:

hookcatch tunnel list

Stop a tunnel:

hookcatch stop <tunnelId>

Forward incoming requests from the public URL to your local port 3000.

Tunnel limits:

FREE: 5 min/session, 3 sessions/day
PLUS: 1h/session, unlimited
PRO/ENTERPRISE: Unlimited

API Token Management

Generate long-lived API token:

hookcatch token generate
# Store the token for automation
export HOOKCATCH_API_KEY="hc_live_..."

Check token status:

hookcatch token status

Revoke token:

hookcatch token revoke --yes

Account status:

hookcatch status
hookcatch whoami

Usage Examples for OpenClaw Skills

Example 1: Test Stripe Webhooks

# Create a bin for Stripe
BIN_URL=$(hookcatch bin create --name "Stripe Test" --format json | jq -r '.url')

# Use this URL in Stripe dashboard as webhook endpoint
echo "Configure Stripe webhooks to: $BIN_URL"

# Wait for webhooks...
sleep 10

# Fetch and analyze captured webhooks
hookcatch bin requests abc123xyz --format json | jq '.[] | {event: .body.type, amount: .body.data.object.amount}'

Example 2: Test Local API

# Start your local API on port 8000
# python -m http.server 8000 &

# Expose it via tunnel
hookcatch tunnel 8000 --password <password>

# Now external services can reach your local API via:
# https://hookcatch.dev/tunnel/xyz789

Example 3: Debug GitHub Webhooks

# Create bin
hookcatch bin create --name "GitHub Webhooks"

# In GitHub repo settings, add webhook URL
# Trigger events (push, PR, etc.)

# View requests
hookcatch bin requests abc123xyz --method POST --limit 10

Integration with OpenClaw Skills

When building OpenClaw skills that need to test webhooks:

// In your skill script
import { exec } from 'child_process';
import { promisify } from 'util';

const execAsync = promisify(exec);

// Create a bin
const { stdout } = await execAsync('hookcatch bin create --format json');
const { binId, url } = JSON.parse(stdout);

// Use the webhook URL in your integration
console.log(`Webhook URL: ${url}`);

// Later, fetch requests
const { stdout: requests } = await execAsync(
  `hookcatch bin requests ${binId} --format json`
);
const captured = JSON.parse(requests);

// Process captured webhooks
for (const req of captured) {
  console.log(`${req.method} ${req.path}: ${JSON.stringify(req.body)}`);
}

Environment Variables

HOOKCATCH_API_KEY - API token for authentication (recommended for automation)
HOOKCATCH_API_URL - Override API URL (default: https://api.hookcatch.dev)

Benefits for OpenClaw Users

No more ngrok setup: Use HookCatch tunnels for quick local testing
Webhook inspection: See exactly what Stripe/Twilio/etc. is sending
Automation-friendly: JSON output for easy parsing in skills
Private bins: Keep your test data secure with password protection
Fast & simple: One command to create bins or tunnels

Getting Help

Documentation: https://docs.hookcatch.dev
Discord: Join #hookcatch in OpenClaw Discord
GitHub: https://github.com/hookcatch/cli
Email: support@hookcatch.dev

Tips

Use API tokens for skills: Generate a token once and use it in HOOKCATCH_API_KEY
JSON format for automation: Always use --format json when parsing in scripts
Private bins for sensitive data: Use --private for production webhook testing
Clean up after testing: Delete bins with hookcatch bin delete to stay within limits

Built for OpenClaw by the HookCatch team 🪝

Comments

Loading comments...