farcasclaudiu/openclaw
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/openclaw.git synced 2026-06-28 15:01:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden plugin/hook npm installs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 14:07:07 +01:00
parent d69b32a073
commit 6f7d31c426
10 changed files with 391 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/automation/hooks.md
+6
View File
@@ -103,6 +103,8 @@ Hook packs are standard npm packages that export one or more hooks via `openclaw
openclaw hooks install <path-or-spec>
```
Npm specs are registry-only (package name + optional version/tag). Git/URL/file specs are rejected.
Example `package.json`:
```json
@@ -118,6 +120,10 @@ Example `package.json`:
Each entry points to a hook directory containing `HOOK.md` and `handler.ts` (or `index.ts`).
Hook packs can ship dependencies; they will be installed under `~/.openclaw/hooks/<id>`.
Security note: `openclaw hooks install` installs dependencies with `npm install --ignore-scripts`
(no lifecycle scripts). Keep hook pack dependency trees "pure JS/TS" and avoid packages that rely
on `postinstall` builds.
## Hook Structure
### HOOK.md Format