ClawHub

OpenClaw Hi Install

v0.1.41

Install or repair Hirey Hi on a local OpenClaw host through the official ClawHub package path, then complete the local MCP, receiver, registration, and healt...

0· 414·0 current·0 all-time
by@yzlee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (install or repair Hi on an OpenClaw host) aligns with the actions in SKILL.md and the bundled installer: invoking the OpenClaw plugin installer, installing pinned @hirey npm packages into a user-writable vendor dir, and configuring local MCP/receiver hooks. Nothing requested appears unrelated to performing a local Hi install.
Instruction Scope
SKILL.md gives concrete, constrained runtime instructions (run the canonical openclaw plugins install command, then run the local ./scripts/openclaw-host-installer.mjs when present, run specific openclaw status/phase commands). It references only OpenClaw CLI JSON state, local bundle-relative assets, and expected hook/session fields. It does not instruct arbitrary host-wide file reads or exfiltration.
Install Mechanism
There is no platform-level install spec (instruction-only), but the bundled script will install npm packages (@hirey scope) into ~/.openclaw/vendor/hi. Installing public npm packages is expected for this purpose but carries the normal network/code-execution risk of installing third-party packages — the script pins specific package versions and avoids global/sudo installs, which is appropriate.
Credentials
The skill does not request unrelated credentials. The installer expects a hooks/receiver token (and may read local OpenClaw session keys via openclaw status --json) which is proportional to configuring a receiver hook. It also forces using the public HI_PLATFORM_BASE_URL (http://hi.hireyapp.us) and will contact npm to fetch @hirey packages — those network endpoints are consistent with the stated purpose but the user should be aware that the install will reach external services and requires a hooks token to fully enable the receiver.
Persistence & Privilege
The skill does not request always: true and is user-invocable only. It will write configuration and vendor files under a per-profile ~/.openclaw-* state root (expected for an installer). It does not attempt to modify other skills' configs or request system-wide elevated privileges.
Assessment
This skill appears coherent for installing Hirey Hi on an OpenClaw host. Before running it, confirm you are on the intended OpenClaw host and accept that the installer will: (1) invoke the OpenClaw plugin installer, (2) download and install pinned @hirey npm packages into your home directory (~/.openclaw/vendor/hi), (3) write config and manifest files under a per-profile ~/.openclaw-* state root, and (4) configure a hooks/receiver using a hooks token and the public hi.hireyapp.us service. If you have concerns, review the scripts/openclaw-host-installer.mjs file and the specific npm package versions, and only provide a hooks token if you trust the Hirey service and this host.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a831ve3ab6h3gm6q9qsxv0584s9z3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments