HookCatch
v1.0.1Test webhooks and expose local services using HookCatch - a developer-friendly webhook testing tool
⭐ 0· 576·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match required artifacts: the skill requires the 'hookcatch' CLI and HOOKCATCH_API_KEY, which are appropriate for a webhook testing / tunneling tool. The wrapper's behavior (mapping HOOKCATCH_API_KEY → HOOKCATCH_TOKEN and forcing JSON output) is consistent with its stated goal of making the CLI AI-friendly.
Instruction Scope
SKILL.md and wrapper instruct the agent to run the hookcatch CLI and to store/ use an API token. The instructions do not read unrelated system files or request other environment variables. Example code uses child_process.exec/spawn to call the CLI — expected for a CLI wrapper. It does recommend placing a token in ~/.openclaw/openclaw.json (user config) which is normal but worth noting because that file will contain the token the skill uses.
Install Mechanism
Install spec uses npm to provide the 'hookcatch' CLI (a standard package manager). The skill includes an optional wrapper package.json (which lists hookcatch as a peerDependency) and a postinstall chmod step for the wrapper. Minor inconsistency: package.json marks hookcatch as a peerDependency rather than bundling it, but the SKILL.md/install metadata lists installing 'hookcatch' via npm — this is a documentation/packaging detail rather than a security problem. No arbitrary URL downloads or extraction from untrusted hosts were found.
Credentials
Only HOOKCATCH_API_KEY (primaryEnv) is required; the wrapper also accepts HOOKCATCH_TOKEN for compatibility. No unrelated secrets or high-privilege credentials are requested. Environment usage seen in code is limited to mapping the API key/token to the CLI environment.
Persistence & Privilege
The skill is not forced always-on (always:false) and does not request elevated privileges or modify other skills' configs. It only advises the user to add an API key to their OpenClaw config for convenience, which is a normal installation-time action.
Assessment
This skill is a thin, well-documented wrapper around the HookCatch CLI and appears to do what it claims. Before installing: 1) Confirm you trust the upstream 'hookcatch' CLI package (review the npm package and linked GitHub repo or docs) because the wrapper simply invokes that binary. 2) Protect your HOOKCATCH_API_KEY — do not paste it into public places. The README suggests storing it in ~/.openclaw/openclaw.json; if you do so, ensure that file's permissions and storage are appropriate. 3) Be cautious when using tunnels or replay functionality: exposing a local port publicly or replaying captured requests to arbitrary endpoints can leak sensitive data (webhook payloads often contain secrets). Use private bins, passwords, and short-lived tokens where possible, and rotate/revoke tokens if you suspect misuse. 4) The wrapper forces JSON output for some commands and maps env vars; this is benign but means any automation parsing output should expect that format. If you need higher assurance, inspect the hookcatch CLI code/repository before installing and avoid installing global packages from unknown sources.Like a lobster shell, security has layers — review code before you run it.
latestvk974fcxt1eg6751429mmmjzzan81aay9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🪝 Clawdis
Binshookcatch
EnvHOOKCATCH_API_KEY
Primary envHOOKCATCH_API_KEY
Install
Install HookCatch CLI (npm)
Bins: hookcatch