Bundle Pluginsource linked
Install Hirey Hi on OpenClawv0.1.41
hirey-openclaw-hi-install
openclaw bundles install clawhub:hirey-openclaw-hi-installLatest release: v0.1.41Download zip
Capabilities
- Bundle format
- generic
- Host targets
- openclaw
- Runtime ID
- hirey-openclaw-hi-install
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say this is an OpenClaw-focused installer for Hirey Hi; the skill includes a bundled installer script and a detailed SKILL.md that instructs the agent to call the OpenClaw package installer then the local ./scripts/openclaw-host-installer.mjs. There are no unrelated required env vars, binaries, or external credentials requested, so requested capabilities align with the stated purpose.
Instruction Scope
SKILL.md explicitly instructs one blocking execution of the canonical ClawHub package install command, then to run the bundled installer; it also instructs generating a hooks bearer token, writing OpenClaw config and MCP entries, and using pinned @hirey npm packages. These actions are consistent with installing and wiring a local service. The instructions do read host session data (openclaw status --json) and manipulate host config/MCP state — these are necessary for registration and are within the installer's scope.
Install Mechanism
There is no platform install spec in the registry metadata (instruction-only), but the bundle includes an executable Node.js installer that will install pinned npm packages into a vendor dir (~/.openclaw/.../vendor/hi) and execute local binaries. Installing packages from npm is expected for this task, but it does mean code from the npm registry will be fetched and executed locally; verify the @hirey package names and versions if you need stricter assurance.
Credentials
The skill does not request unrelated environment variables or external credentials. It will generate and persist a fresh hooks bearer token and set HI_* env entries in the Hi MCP server config; that behavior is justified by the installer purpose. No excessive cross-service credentials are requested by the SKILL.md or the included script.
Persistence & Privilege
The installer will write persistent state to the user's home (e.g., ~/.openclaw* and profile-scoped hi-state dirs), set OpenClaw config and MCP servers, and install vendor binaries. This is expected for a local OpenClaw install but is a privileged operation on the host filesystem and OpenClaw config — users should consent to those changes and back up existing config if needed. The skill is not marked always:true and does not modify other skills.
Assessment
This skill is an installer bundle that will: run the ClawHub package install command, run the bundled Node installer, install pinned @hirey npm packages into a vendor directory under your home, write OpenClaw config and MCP entries, and generate a fresh bearer token for local hooks. Those actions match an installer, but they are invasive (writes to ~/.openclaw*, starts local vendor binaries, and modifies OpenClaw MCP/config). Before installing: verify you trust Hirey and the @hirey npm packages and their versions, back up your OpenClaw config (~/.openclaw*), ensure you are comfortable with local processes listening at 127.0.0.1:18789 and calls to hi.hireyapp.us, and consider running the bundled installer manually in a shell to inspect its stdout/stderr. If you want more assurance, inspect the full openclaw-host-installer.mjs source and the referenced npm packages on the registry before proceeding.Verification
- Tier
- source linked
- Scope
- artifact only
- Summary
- Validated package structure and linked the release to source metadata.
- Commit
- 097308a389c2
- Tag
- master
- Provenance
- No
- Scan status
- clean
Tags
- latest
- 0.1.41