Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hook System
v1.0.0工具钩子系统。在工具执行前后注入自定义逻辑,支持: - PreToolUse: 工具执行前调用,可修改输入或阻止执行 - PostToolUse: 工具执行后调用,可修改输出或记录日志 当用户说"添加钩子"、"hook"、"拦截工具"、"工具前后处理"时触发。 依赖:Node.js 18+
⭐ 0· 18·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match implementation: the script implements PreToolUse/PostToolUse hooks and runs configured commands before/after tool execution. The included examples (validation, logging, filtering) are consistent with the stated purpose.
Instruction Scope
SKILL.md and the script instruct running arbitrary shell commands as hooks. The documentation does not warn that hooks will inherit the process environment or can execute arbitrary network/file operations; the code spawns a shell for each hook, so hooks can read/write files, make network requests, or execute any command available to the runtime.
Install Mechanism
No install spec (instruction-only) and a single supporting script file are provided; nothing is downloaded from external URLs or written by an installer, which reduces supply-chain risk. The code is included in the package so there is no hidden remote install step.
Credentials
The skill declares no required env vars, but runHookCommand invokes child processes with env: { ...process.env, ...env }, meaning hooks receive the entire parent environment (all secrets/keys). This gives hooks access to any credentials present in the agent environment despite no declared need — a disproportionate and under-documented privilege.
Persistence & Privilege
always is false and the skill does not request persistent system-wide modifications. The agent can invoke the skill autonomously (default behavior) but that alone is normal and not flagged here. The skill does allow arbitrary hooks which increases risk if the agent auto-invokes it, but there is no evidence it modifies other skills or system configs.
What to consider before installing
This hook system does what it says: it runs configured shell commands before and after tool calls. However, those hook commands are executed via a shell and inherit the agent's entire environment — so any secrets or API keys in environment variables can be read and exfiltrated by hooks, and hooks can run network or filesystem operations. Before installing: (1) only allow vetted hook scripts from trusted sources; (2) prefer running this skill in an isolated environment or container; (3) avoid placing credentials in the agent environment or patch the script to pass a minimal sanitized env to hooks (replace env: { ...process.env, ...env } with a curated env object); (4) review any HOOK_PRE/HOOK_POST values you set and the contents of hook scripts (especially anything that writes logs, reads files, or performs HTTP requests); (5) if you require stronger safety, refuse autonomous invocation or restrict the agent's ability to attach hooks. Because the source is unknown and the code exposes full environment to hooks, treat this skill as high-risk unless you control and inspect all hook commands.scripts/hook-runner.mjs:54
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
hookvk97f21ga8yvbge58rpdpqzhzhx84bam6interceptorvk97f21ga8yvbge58rpdpqzhzhx84bam6latestvk97f21ga8yvbge58rpdpqzhzhx84bam6posttoolvk97f21ga8yvbge58rpdpqzhzhx84bam6pretoolvk97f21ga8yvbge58rpdpqzhzhx84bam6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.