Hirey Compatible Install
ReviewAudited by ClawScan on May 11, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Install this only if you want the Hi/Hirey integration on this OpenClaw host. Review any approval-policy snippet before pasting it, back up or inspect `~/.openclaw/openclaw.json`, and treat receiver tokens in OpenClaw config as secrets. The artifacts do not show clear malicious behavior, but the setup is persistent and changes local agent capabilities. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing can change how the local OpenClaw host routes hooks and exposes the Hi MCP server.
The installer directly mutates the local OpenClaw configuration instead of going through the normal CLI path. The comments describe a narrow scope, and this is aligned with an installer, but it can change agent hook/MCP behavior.
Direct-fs read/write for `~/.openclaw/openclaw.json` ... Replaces every `runOpenClaw config get/set hooks/mcp.servers.<name>` ... narrowly write only the two fields we own (`hooks`, `mcp.servers.<name>`)
Run only when you intend to install Hi; consider backing up `~/.openclaw/openclaw.json` and review the resulting hooks and MCP server entries.
The agent may be allowed to run the scoped Hi plugin install command with fewer repeated approval prompts.
The skill asks the user to inspect and potentially modify OpenClaw approval policy so the Hi plugin install can proceed without repeated prompts. The command is user-directed and scoped to the Hirey install command, but it changes a local permission boundary.
Before running the install, probe `openclaw approvals get` (or read `~/.openclaw/exec-approvals.json`) ... `openclaw approvals set --stdin` ... `"ask": "on-miss"` ... `"argPattern": "^plugins\\s+install\\s+clawhub:hirey(\\b|$)"`
Paste the approval-policy command only if you trust this install flow, and restore your previous approval settings afterward if you do not want that exception to remain.
The installed Hi components come from the package's bundled vendor tree and version metadata controlled by the Hi/Hirey service.
The installer relies on publisher-prebundled Node package contents and a Hirey-hosted recommended-versions endpoint. That is a normal supply-chain pattern for a bundled installer, but it means users must trust the package publisher and the Hirey endpoint.
render 时把整棵 node_modules 树 prebundle 进 bundle 的 ./vendor/,install 时 fs.cp 出去 ... version号现在去 hi-platform 的 well-known endpoint 拉
Install from a trusted ClawHub package/version, and verify the bundled package versions if supply-chain provenance matters for your environment.
Local Hi receiver traffic and hook access depend on stored tokens; exposure of the OpenClaw config could expose that local integration.
The installer configures local gateway/receiver communication and token-based access for the Hi integration. This is expected for local MCP/receiver setup, but the token and URL are sensitive configuration values.
export const DEFAULT_GATEWAY_BASE_URL = 'http://127.0.0.1:18789'; ... `HI_RECEIVER_TOKEN`, `HI_RECEIVER_URL`
Keep your OpenClaw config files private, avoid sharing logs/configs containing receiver tokens, and rotate or reinstall if the token is exposed.