OpenClaw Hook Development
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent OpenClaw hook-development guide, but it demonstrates persistent gateway hooks, bootstrap context injection, and optional Telegram token use that users should review before enabling.
Use this skill only if you intend to develop OpenClaw Gateway hooks. Before enabling a hook, review the JavaScript, confirm which event triggers it handles, verify any Telegram bot token and chat ID, and disable the hook entry when you no longer need it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A hook copied from these examples can run code whenever relevant agent events occur, not only at the moment the user edits it.
The skill explicitly teaches hooks that execute JavaScript/TypeScript during agent lifecycle events. This is central to the skill’s purpose, but users should understand that enabled hooks run automatically at bootstrap.
Internal Hook 是 OpenClaw Gateway 内部的事件处理器,在 agent 生命周期事件(如 `agent:bootstrap`)触发时执行 JavaScript/TypeScript 代码。
Only enable hook files you have reviewed, keep event filters narrow, and remove or disable hook entries when they are no longer needed.
Hook-injected files may change the agent’s working context on future sessions.
The example injects a virtual file into the agent bootstrap context. This is disclosed and purpose-aligned, but injected context can influence what the agent sees and does.
event.context.bootstrapFiles.push({
path: 'HOOK_REMINDER.md',
content: reminderContent,
virtual: true,
});Keep injected content minimal, trusted, and clearly labeled; avoid injecting untrusted or user-supplied instructions into bootstrap files.
Anyone running or modifying the script could access the Telegram bot token from the local OpenClaw config.
The Telegram test script reads the local OpenClaw configuration to extract a bot token. This is expected for testing Telegram notifications, but the token is an account credential and is not declared in the registry metadata.
const configContent = fs.readFileSync(configPath, 'utf-8');
const tokenMatch = configContent.match(/\"botToken\":\s*\"([^\"]+)\"/);Use a dedicated Telegram bot token with limited purpose, verify the chat ID before sending, and avoid sharing logs or modified scripts that could expose credentials.