OpenClaw Hawkins — VINES + VECNA
ReviewAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate OpenClaw orchestration plugin, but it gives agents persistent shared memory and broad delegation authority that need careful scoping before use.
Install this only if you want a powerful multi-agent OpenClaw setup. Before enabling it, set VECNA_AUTH_TOKEN, keep the VECNA service local or firewalled, use a dedicated MariaDB user and scoped Linear token, restrict hawkins tools to intended agents, and review early tool calls, tickets, and memory entries.
Publisher note
Publisher note — context for the ASI findings on openclaw-hawkins All five findings accurately describe documented design properties of the plugin, not undocumented risks. The reviewer's recommendations match what SECURITY.md, README.md, INSTALL.md, and orchestrator/HAWKINS_PROTOCOL.md ASI06 — Memory and Context Poisoning. VECNA is intentionally a shared MariaDB-backed knowledge store across the swarm — cross-orchestration recall is the product. SECURITY.md §"Shared agent memory (VECNA)" and vecna/spec.md §6 explicitly require operators to set VECNA_AUTH_TOKEN in production, bind the HTTP Nexus to 127.0.0.1 (the default), and review fragments via vecna_search + vecna_evolve. Recall ranking has built-in decay (importance < 5 && age > 6 months is demoted automatically). ASI02 — Tool Misuse and Exploitation. The 12 plugin tools register through OpenClaw's standard plugin mechanism; per-agent tool allowlisting is OpenClaw's responsibility (operators scope tools per agent in openclaw.json), not enforceable from inside an OSS plugin. README.md's plugin section explicitly recommends "restrict to intended Hawkins agents (Nexus + the 6 Tendrils) where possible and review tool calls for sensitive mutations". ASI07 — Insecure Inter-Agent Communication. Documented in SECURITY.md §"Inter-agent dispatch" and orchestrator/HAWKINS_PROTOCOL.md §"Important — what NOT to do". Mitigated at the plugin level: the configSchema deliberately rejects mariadb.password and linear.apiKey so secrets cannot land in openclaw.json — they're forced through the gateway environment. The "never pass secrets in tool arguments" rule is repeated in three docs. ASI03 — Identity and Privilege Abuse. Documented in INSTALL.md §"One-time Linear setup" (Least-privilege tip callout) and SECURITY.md §"Linear API integration". We explicitly recommend an OAuth app token scoped to a single team rather than a Personal API key, and "review the first tickets the orchestrator creates within a few minutes of the first dispatch". The plugin cannot enforce the operator's choice of token scope from inside the package. ASI05 — Unexpected Code Execution. `openclaw plugins install clawhub:openclaw-hawkins && openclaw hawkins setup` is the package's documented install flow. The setup command applies vines_ledger + vecna_hive schemas to the operator-configured MariaDB and creates 6 OpenClaw specialist agent workspaces from bundled AGENTS.md templates. Every side effect is listed in the post-install banner; the command is non-destructive (skips existing workspaces). Not hidden, not automatic — operator-initiated. In short: each finding maps to a design property the plugin author has documented openly, with the same mitigation the reviewer recommends. The plugin is functional end-to-end against real services (proven via real Telegram-routed Dobby dispatch creating Linear tickets DOB-31..36 and writing/recalling VECNA fragments).
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised local process or less-trusted agent could poison shared memory, causing future agents to use stale, misleading, or attacker-influenced context.
The skill intentionally creates persistent shared memory, and the documented no-token case allows any reachable local process to write or modify memories that agents may later reuse.
VECNA stores fragments in a single MariaDB table (`vecna_hive`) ... without it, any process that can reach the Hive port (default `127.0.0.1:8765`) can connect and evolve fragments.
Set VECNA_AUTH_TOKEN before use, keep the Hive bound to localhost or firewall it, restrict vecna_* tools to trusted agents, and regularly review/deprecate memory fragments.
If the orchestrator or a planner is steered by bad input, it may delegate sensitive tasks to specialist agents that can affect the host, tickets, or stored state.
The artifacts acknowledge that sensitive delegated actions are not stopped at the orchestration layer and depend on prompt/persona constraints and operator configuration.
Adversarial planner output. If a malicious planner asks the orchestrator to dispatch sensitive commands, the orchestrator will. Defence belongs in the specialist personas (`agents/*/AGENTS.md`).
Limit tool access per agent, require human approval for shell, database, Linear, or other high-impact mutations, and audit specialist agent prompts and tool calls.
Using a broad Linear key could let the orchestrator create, comment on, or transition tickets beyond the intended team or project.
Linear access is purpose-aligned for ticket oversight, but the documented setup path can use a broad personal API key unless the operator deliberately scopes it.
A Linear Personal API key inherits the full permissions of the issuing user across every team they belong to. For production, prefer an OAuth app token scoped to a single team.
Use a dedicated Linear OAuth token scoped to one team, avoid personal API keys for production, and review the first tickets the system creates.
Secrets or sensitive data placed in tool arguments, messages, or recalled memory may be exposed to another agent and its configured model provider.
The inter-agent dispatch flow intentionally forwards messages and recalled context across agent/model boundaries, which is expected for this skill but sensitive.
Tool inputs and recall context are forwarded into the receiving agent's prompt and from there to its model provider.
Never send secrets in agent messages or tool arguments, configure trusted model providers, and keep agent/task boundaries explicit.
Running setup changes the OpenClaw environment by adding agents and database schemas.
The setup command performs real local provisioning, but it is documented as an explicit operator-initiated step rather than hidden automatic execution.
openclaw hawkins setup ... Provision schemas + the 6 specialist agents in one shot
Run setup only on the intended host, review the post-install banner, and back up existing OpenClaw workspace configuration before provisioning.