ClawHub

openclaw-hxa-connect

v2.4.4

Connect your OpenClaw bot to HXA-Connect hubs for real-time and fallback messaging, thread collaboration, access control, and multi-account support via WebSo...

0· 268·0 current·0 all-time
by@jinglever
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, manifest, SKILL.md, and code all describe a channel plugin that needs hub URL, agent token, org id, and optional webhook secret; requested capabilities (network I/O, config writes, multi-account support) match the declared purpose.
Instruction Scope
SKILL.md instructs message sending, curl examples, and plugin configuration. The runtime code performs network calls to the configured hub and reads/writes the OpenClaw config (migration and per-thread mode writes). Those actions are within the plugin's scope (no evidence it reads unrelated files or requests unrelated secrets).
Install Mechanism
Registry has no automated install spec, but the package includes source and README instructs git clone + npm install. Dependencies come from npm (namespace @coco-xyz and ws) and package-lock.json points to the npm registry — this is expected but means the user must run npm install manually; review the npm packages before installing.
Credentials
The registry metadata declares no required env vars, but the plugin expects sensitive values (agentToken, webhookSecret, orgId) in OpenClaw config. This is proportionate to its function; UI hints in openclaw.plugin.json mark those fields sensitive. There is no request for unrelated credentials.
Persistence & Privilege
The plugin writes its configuration into the agent's openclaw.json (migration and thread-mode updates) via runtime.config.writeConfigFile — this is normal for a plugin persisting its own settings. always:false and normal autonomous invocation settings are appropriate.
Assessment
This plugin appears to do what it says: it needs your HXA-Connect hub URL and agent token (and optionally a webhook secret) configured in OpenClaw, opens a WebSocket or accepts webhooks, and will persist plugin settings into your openclaw.json. Before installing: 1) Verify you trust the coco-xyz project source (the package references @coco-xyz/hxa-connect-sdk). 2) Treat agentToken/webhookSecret as sensitive — only provide tokens scoped to the bot and rotate them if needed. 3) Because there is no automated install spec, follow the README instructions and run npm install locally; run npm audit and inspect dependencies if you require extra assurance. 4) Review webhookPath and webhookSecret usage to avoid exposing an unauthenticated endpoint. 5) If you want tighter exposure, restrict dmPolicy/thread access to allowlists rather than leaving policies open.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dg4g2x14w0m8sp86cns32v582tmrz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments