Dooray Hook
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims—send Dooray messages through configured webhooks—but users should protect webhook URLs and review what gets posted.
Before installing, make sure you only configure Dooray rooms you are comfortable letting OpenClaw post to. Protect webhook URLs like secrets, keep SSL verification enabled where possible, and use review/approval practices for messages that could affect teammates or operations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Messages sent through this skill will leave the local environment and appear in the configured Dooray room.
The script sends the supplied message to a webhook URL selected from local configuration. This is purpose-aligned, but it is still an external posting action.
webhook_url = rooms[room_name] ... urllib.request.Request(webhook_url, ... method='POST')
Configure only trusted Dooray webhook URLs and review automated or sensitive messages before allowing the agent to send them.
Anyone who obtains a configured webhook URL could post messages to that Dooray room.
Dooray webhook URLs function as bearer credentials for posting into a room, so storing and using them grants limited account/workspace authority.
Anyone with the URL can post to the room - No authentication required (URL itself is the credential)
Keep the OpenClaw config file private, avoid committing webhook URLs, restrict file permissions, and rotate webhooks if exposed.
If SSL verification is disabled, a proxy or network attacker may be better positioned to observe or alter webhook traffic.
The skill discloses an opt-in TLS verification bypass. It is not the default, but using it weakens transport security.
`verify_ssl` (Optional): Set to `false` to disable SSL certificate verification.
Leave `verify_ssl` set to `true` unless a trusted corporate proxy or self-signed certificate setup requires otherwise.