critical
suspicious.dangerous_exec
- Location
- scripts/openclaw-host-installer.mjs:523
- Finding
- Shell command execution detected (child_process).
Install Hirey AI on OpenClaw
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A local OpenClaw plugin bundle could be overwritten or upgraded automatically during the repair flow.
Why it was flagged
The skill tells the agent to force an in-place plugin upgrade without escalating to the user. That can replace local agent/plugin behavior and should normally have explicit user confirmation.
Skill content
if the install command fails with `plugin already exists … delete it first` ... re-run the exact same command with `--force` appended ... not a hard failure that should switch channels or escalate to the user
Recommendation
Ask for explicit user approval before using --force or replacing an existing plugin, and show what will change.
What this means
The installed service may gain the ability to route activity back into a specific OpenClaw chat/session.
Why it was flagged
The installer flow uses a current chat session key, which is session-routing/identity-like authority. The artifacts do not clearly show enough containment around how that key is stored, transmitted, or later used.
Skill content
read the current chat's canonical full session key from structured JSON host data ... then run the bundled `setup` command with `--after-reconnect --host-session-key "<canonical full session key>"`
Recommendation
Install only if you trust Hirey AI with this OpenClaw session integration; the skill should clearly disclose where the session key goes and require approval before using it.
What this means
Future messages or callbacks through the receiver could affect local OpenClaw sessions if the token or allowed prefixes are misused.
Why it was flagged
The installer enables hook-based receiver communication and allows session-key requests for configured prefixes. The visible artifacts do not fully explain the identity checks, message origin validation, or boundaries for receiver traffic.
Skill content
allowRequestSessionKey: true, allowedSessionKeyPrefixes: mergeAllowedSessionKeyPrefixes(...) ... HI_RECEIVER_TOKEN: hooksToken, HI_RECEIVER_URL: normalizeText(args.receiverUrl)
Recommendation
Verify the receiver URL, token handling, and allowed session prefixes before enabling; rotate/remove the hook token if uninstalling or if access is no longer needed.
What this means
The installer can run local OpenClaw/package commands on the user's machine.
Why it was flagged
The helper can execute local commands. This is expected for an OpenClaw installer, but it means the script has meaningful local execution authority.
Skill content
import { execFile } from 'node:child_process';
const execFileAsync = promisify(execFile);Recommendation
Review the command output during installation and run it only on an OpenClaw host where you trust the package.
What this means
Installing this skill will rely on external package code in addition to the visible skill files.
Why it was flagged
The installer depends on external Hirey npm packages. The versions are pinned, which helps, but package provenance still matters.
Skill content
PINNED_PACKAGES = Object.freeze({
hiMcpServer: '@hirey-ai/mcp-server@0.1.22',
hiAgentReceiver: '@hirey-ai/agent-receiver@0.1.12'
});Recommendation
Confirm the package source and version before installation, especially because the registry source is listed as unknown and no homepage is provided.