ClawHub
Code Pluginsource linked

Hi Openclaw Pluginv1.0.46

Hirey Hi as a native OpenClaw plugin: registers Hi tools, the agent-events claim service, and webhook ingress directly inside the gateway process — zero independent daemons, no `mcp.servers.hi` indirection, no per-run frozen tool inventory boundary. Same business logic as @hirey/hi-mcp-server / @hirey/hi-agent-receiver, but wired through OpenClaw's native register(api) instead of stdio MCP + spawned daemon. For OpenClaw 5.4+ via ClawPack `clawhub:hirey`; for OpenClaw 5.2 ~ 5.3 via npm fallback `openclaw plugins install npm:@hirey-ai/hirey` (same plugin code, ClawPack metadata path is broken on 5.2 ~ 5.3 ClawHub clients so we ship the same tarball through npm under the brand-name `@hirey-ai/hirey` for prod / `@hirey/hirey` for early — npm `hirey` (unscoped) was rejected by npm typosquatting policy). OpenClaw 4.23 ~ 5.1 must use the prod ClawHub bundle `clawhub:hirey-compatible` because their runtime expects date-format `compat.pluginApi` and rejects newer ranges.

hirey·runtime hirey·by @yzlee
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:hirey
Latest release: v1.0.46Download zip

Capabilities

Tags
executes-codeartifact:npm-packnpm-mirror:available
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
hirey

Compatibility

Built With Open Claw Version
2026.5.6
Min Gateway Version
>=2026.5.2
Plugin Api Range
>=2026.5.2
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The tools, background event service, webhook route, local state, and Hirey API calls fit the stated purpose of connecting an OpenClaw host to Hirey Hi for people-matching, messaging, listings, billing, phone binding, and staff-gated administration. I did not find artifact-backed destructive behavior or unrelated exfiltration.
!
Instruction Scope
The bundled skill instructs the agent to read the full current OpenClaw session key and pass it to hi_agent_install, while runtime code injects Hirey push events into future model context. These behaviors are purpose-aligned for reply routing, but the instructions do not give strong minimization or redaction handling for the session key or event payloads.
Install Mechanism
The package itself has no npm install script and the native plugin path does not use child_process. The README does recommend a separate compatible bundle install with --dangerously-force-unsafe-install for older hosts, which is disclosed as a fallback but should not be treated as this package's direct install behavior.
!
Credentials
On startup and registration, the plugin registers many tools, a long-running SSE/claim service, a plugin HTTP route, and a before_prompt_build hook. It also programmatically modifies ~/.openclaw/openclaw.json to allow plugin tools and enable hooks/session-key routing, which is high-impact host configuration authority with limited user-facing consent detail.
!
Persistence & Privilege
The plugin persists a Hirey identity with OAuth client credentials under ~/.openclaw/hi-mcp, stores pending push events keyed by hashed session key, reads OpenClaw session/config files, and exposes a one-time claim token through tool output. File modes and bounded queues reduce risk, but the privilege and secret-handling surface is material.
Scan Findings in Context
[SDI-2] unexpected: The unsafe-install command is documented for a separate older compatible bundle, not executed by this package's native install path. This is a user-guidance concern, not evidence that the reviewed artifact itself runs a child_process installer.
[SDI-4] expected: Webhook ingress is declared and coherent with event delivery. The handler is plugin-authenticated and queue-bounded, but it accepts any JSON object and lacks schema validation, so malformed events could still enter the local queue.
[SDI-4] expected: The long-running event service is expected for push delivery. The stop/abort issue appears to be a lifecycle reliability weakness rather than malicious behavior.
[SQP-2] unexpected: The README frames the dangerous fallback flag as required for older bundle installs. Because it is not prominent about the trust implications, users should treat that fallback as higher risk even though it is outside the native artifact's normal path.
[SQP-2] expected: Automatic tools.alsoAllow modification is purpose-aligned to make plugin tools visible, but it persistently changes host security/tool availability without an explicit confirmation boundary in the code path.
[SQP-2] expected: hi_agent_claim_export necessarily returns a transfer secret for reattaching another device. The description warns it is password-like, but returning the raw token in normal tool output can expose it in transcripts or logs.
[SQP-2] expected: Direct openclaw.json mutation enables hooks, a token, request-supplied session keys, and broad session-key prefixes. This matches push-routing needs but materially alters trust boundaries and is under-scoped for automatic self-heal behavior.
[SQP-2] expected: Forwarding full event payloads into hook messages and prompt context is expected for event rendering, but the artifacts do not show field-level allowlisting or redaction for potentially sensitive people, hiring, housing, dating, or messaging data.
[SQP-1] expected: The broad manifest matches the product's stated people-matching scope, and server-side authorization appears to gate staff-only capabilities. The combination of broad activation, startup service, hooks, and sensitive workflows still warrants Review.
[SQP-2] expected: Manifest and README disclose in-process tools, event service, webhook ingress, and on-disk identity state, but they do not clearly warn about automatic host config rewrites, session-key routing, or prompt-context injection.
[SQP-2] expected: Reading the full host session key is coherent for binding replies to the current chat, but the skill should explicitly say not to display, log, store, or reuse the key except for the registration call.
What to consider before installing
Install only if you trust Hirey with sensitive relationship, hiring, housing, billing, phone, and message data and are comfortable with the plugin changing OpenClaw configuration for hooks and plugin-tool access. Prefer the native clawhub:hirey path on supported OpenClaw versions; treat the older --dangerously-force-unsafe-install compatible bundle as a separate higher-risk fallback. After install, review ~/.openclaw/openclaw.json, the plugin state directory, and any claim tokens or session keys shown in transcripts.
dist/clients.js:54
File appears to expose a hardcoded API secret or token.
dist/tools/control.js:248
File appears to expose a hardcoded API secret or token.
node_modules/@hirey/hi-agent-sdk/dist/client.js:161
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/hirey-ai/hi-openclaw-plugin
Commit
78ab15daeec3
Tag
main
Provenance
No
Scan status
suspicious

Tags

bundle-test
1.0.25-bundle.0
latest
1.0.46

hi-openclaw-plugin

Hirey Hi as a native OpenClaw plugin. Registers Hi's tools, agent-events claim service, and webhook ingress directly inside the OpenClaw gateway process — zero independent daemons, no mcp.servers.hi indirection, and no per-run frozen tool inventory boundary.

This is the OpenClaw 5.2+ first-class path, published to ClawHub as clawhub:hirey (ClawPack code-plugin) and to npm as hirey. OpenClaw 4.23 ~ 5.1 hosts cannot load this ClawPack format and must install the prod bundle plugin clawhub:hirey-compatible instead (zip + skill + scripts wrapping @hirey-ai/mcp-server + @hirey-ai/agent-receiver). All OpenClaw 4.23+ hosts can install clawhub:hirey-compatible as a universal fallback.

Why this exists

The bundle + spawn model needs:

  • one stdio child process for the MCP server (@hirey-ai/mcp-server)
  • one long-running daemon (@hirey-ai/agent-receiver) for cloud-to-host event delivery
  • a host installer mjs that uses child_process to run npm install + openclaw config set (which trips OpenClaw's pre-4.23 install scanner)
  • a two-message install flow because the LLM run that wrote mcp.servers.hi cannot call the just-installed tools in the same outer run (per-run frozen tool inventory)
  • hooks.token / hooks.path / hooks.allowedSessionKeyPrefixes / /hooks/agent plumbing on the OpenClaw side

This native plugin replaces all of the above with three OpenClaw plugin SDK calls running inside the gateway process:

  • api.registerTool(...) for every Hi tool — exposed to the LLM directly, no MCP layer
  • api.registerService(...) for the agent-events claim loop — gateway owns the lifecycle, no orphan daemon
  • api.registerHttpRoute(...) for the webhook ingress — uses gateway's HTTP server, no separate hooks token

Distribution paths

PathAudience
clawhub:hirey (this package, ClawPack code-plugin)OpenClaw 5.2+. Best UX, in-process, no boundary friction.
clawhub:hirey-compatible (prod bundle plugin from hi-platform, zip + skills + scripts)All OpenClaw 4.23+ hosts. Required for 4.23 ~ 5.1 (those hosts cannot load ClawPack); optional fallback for 5.2+ if the ClawPack install path has any issue. Wraps @hirey-ai/mcp-server + @hirey-ai/agent-receiver.
@hirey-ai/mcp-server + @hirey-ai/agent-receiver (npm, raw)Claude Desktop, Cursor, VS Code MCP, any other MCP host. Stable cross-host transport. Independent of OpenClaw.

Business logic (@hirey-ai/agent-sdk, @hirey-ai/agent-contracts) is fully shared; only the wiring layer differs.

Supported OpenClaw versions

OpenClaw versionclawhub:hirey (ClawPack)clawhub:hirey-compatible (bundle)Notes
2026.5.2+✅ recommended (in-process)✅ works but skips native plugin benefitsClawPack first-class path
2026.4.23 ~ 2026.5.1❌ runtime expects date-format pluginApi, rejects semantic 1.0✅ recommendedbundle is the only path
2026.4.14 ~ 2026.4.22❌ same as above❌ install scanner flags child_process in installer mjsunsupported; must upgrade OpenClaw
< 2026.4.14unsupported

Install

Pre-flight: avoid the approval loop (one-time, ~5 seconds, recommended)

On a default OpenClaw host, tools.exec runs in security=allowlist + ask=off and the natural-language install path stalls in an approval loop: each /approve <token> retry rotates the token because the gateway's followup dispatch can't reuse the approved session token (upstream tracked at openclaw/openclaw#58662 and #27831). Before chatting with OpenClaw, paste this in your shell once:

openclaw approvals set --stdin << 'JSON'
{
  "version": 1,
  "agents": {
    "main": {
      "security": "allowlist",
      "ask": "on-miss",
      "allowlist": [
        {
          "pattern": "**/openclaw",
          "argPattern": "^plugins\\s+install\\s+clawhub:hirey(\\b|$)",
          "source": "manual"
        }
      ]
    }
  }
}
JSON

The change is live — no openclaw gateway restart needed. The allowlist is intentionally narrow: it only matches openclaw plugins install clawhub:hirey* (covers clawhub:hirey, clawhub:hirey --force, and the bundle name clawhub:hirey-compatible); it does NOT broaden any other openclaw subcommand.

With pre-flight set, the install prompt below finishes in 2 chat turns, 0 /approve prompts (verified end-to-end on OpenClaw 2026.5.6). Without pre-flight, expect 4–6 turns with several token-paste round-trips.

Natural-language install (after pre-flight)

OpenClaw is a personal agent driven by natural language; the LLM picks which command to run. The recommended user-facing prompt that works across versions:

Install Hirey AI on this OpenClaw host. First check `openclaw --version`:
- If 2026.5.2 or higher, run `openclaw plugins install clawhub:hirey`.
- Otherwise (OpenClaw 2026.4.23 ~ 2026.5.1), run `openclaw plugins install clawhub:hirey-compatible --dangerously-force-unsafe-install`.
The `--dangerously-force-unsafe-install` flag is required only for the bundle path: it is OpenClaw's own break-glass override that lets community bundles ship a setup-time `child_process` helper for `npm install` + `openclaw config set`. The ClawPack path is in-process and does not need the flag.
After install, call hi_agent_install (don't fabricate an agent id). Report the real agent_id and hooks_ready status.

Direct CLI for OpenClaw 5.2+ users:

openclaw plugins install clawhub:hirey
openclaw gateway restart

For OpenClaw 4.23 ~ 5.1 users (bundle path), or any 5.2+ user who wants the bundle as a universal fallback:

openclaw plugins install clawhub:hirey-compatible --dangerously-force-unsafe-install
openclaw gateway restart

The --dangerously-force-unsafe-install flag is required because OpenClaw 4.14+ install scanner blocks community bundles that ship a child_process import; our openclaw-host-installer.mjs legitimately uses child_process.execFile to spawn npm install and openclaw config set during setup. This is the OpenClaw-provided override flag (docs/cli/plugins.md), not a bypass of security controls.

After restart, ask OpenClaw "Hi 健康吗?" or "post a Hi listing for me" — the LLM will see the registered Hi tools and run them directly.

Development

npm install
npm run build
npm pack    # emits hirey-<version>.tgz

Use openclaw plugins install -l <local-dir> for local link-mode testing (only on OpenClaw 5.2+).

License

UNLICENSED (private; published under unscoped hirey on the public npm registry but the source is not open source).