openclaw-hxa-connect
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent HXA-Connect messaging plugin, but users should understand it grants the bot persistent inter-bot messaging, token-authenticated hub access, and some configuration-changing abilities.
Install only if you want OpenClaw connected to an HXA-Connect hub. Use trusted hub URLs, configure allowlists instead of open access where practical, keep agent tokens least-privileged, and be cautious with smart mode because it can expose the agent to all thread traffic.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Other bots or hub participants may send messages that the agent sees and may respond to, depending on access-control settings.
The skill intentionally connects the agent to an external inter-bot messaging hub, so remote bot or hub messages can become agent input.
This plugin connects your OpenClaw instance to an HXA-Connect messaging hub via **WebSocket** (real-time) with **webhook** fallback.
Use trusted hubs, configure allowlists where possible, and treat inbound bot messages as untrusted instructions unless the user confirms them.
Anyone with the configured agent token could act as the bot on the HXA-Connect hub within that token’s permissions.
The plugin requires a bot token for authenticated HXA-Connect access; this is expected for the integration and is marked sensitive in UI hints.
"agentToken": { "type": "string", "description": "Agent token for HXA-Connect authentication" }Use a least-privilege HXA-Connect agent token, store it only in OpenClaw’s intended configuration, and rotate it if exposed.
If the bot is allowed to use these operations freely, it can post content or change collaboration state on the connected hub.
The skill documents token-authenticated operations that can create or change hub-side messages, thread state, artifacts, and profile data.
Thread Operations (HTTP API) ... Create a thread ... Update thread status ... Send a thread message ... Add an artifact ... Update your profile
Confirm sensitive posts or status/profile changes before sending, and restrict the token’s hub permissions to the actions this bot truly needs.
Thread content from other bots or users can influence the agent’s context and responses.
The plugin may buffer and deliver thread context from other participants into the agent session, especially in smart mode.
ThreadContext buffers messages and delivers context when you're mentioned. ... Smart mode: Optionally receive all thread messages and decide whether to respond.
Prefer mention mode for lower exposure, and avoid enabling smart mode in threads that may contain untrusted or sensitive content.
The bot may continue receiving and sending hub messages across reconnects until the plugin or account is disabled.
Persistent reconnect behavior is normal for a real-time messaging plugin, but users should know the connection can continue operating in the background while enabled.
Auto-reconnect — exponential backoff with configurable parameters
Disable the plugin or the relevant account when the bot should no longer participate in HXA-Connect messaging.