← Back to Skills Marketplace

Hook System

Name: Hook System
Author: xhmqq616

by xhmqq616 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install hook-system

Description

工具钩子系统。在工具执行前后注入自定义逻辑，支持： - PreToolUse: 工具执行前调用，可修改输入或阻止执行 - PostToolUse: 工具执行后调用，可修改输出或记录日志当用户说"添加钩子"、"hook"、"拦截工具"、"工具前后处理"时触发。依赖：Node.js 18+

README (SKILL.md)

Hook System - 工具钩子框架

核心概念

工具调用流程（带Hook）:
User Message → [PreToolUse Hook] → Tool Executor → [PostToolUse Hook] → Response
                       ↓                        ↓
                  可以阻止执行             可以修改输出

Hook 类型

类型	时机	用途
PreToolUse	工具执行前	验证输入、日志记录、阻止执行
PostToolUse	工具执行后	修改输出、错误处理、通知

快速使用

const { HookRunner } = require('./scripts/hook-runner.mjs');

const runner = new HookRunner({
  preToolUse: ['echo "Calling $HOOK_TOOL_NAME"'],
  postToolUse: ['echo "Done: $HOOK_TOOL_NAME"']
});

// 执行前钩子
const preResult = runner.runPreToolUse('read_file', '{"path":"README.md"}');
console.log(preResult.allow); // true/false
console.log(preResult.messages); // 钩子输出

// 执行后钩子
const postResult = runner.runPostToolUse('read_file', '{"path":"README.md"}', 'file content...', false);

Hook 命令格式

# 标准输出 = 钩子消息（会被注入到结果）
# 退出码 = 结果
#   0 = 允许/成功
#   2 = 拒绝（仅PreToolUse）
#   其他 = 警告（不阻止执行）

环境变量

钩子运行时自动注入：

变量	说明
`HOOK_EVENT`	事件类型：`PreToolUse` 或 `PostToolUse`
`HOOK_TOOL_NAME`	工具名称
`HOOK_TOOL_INPUT`	工具输入（原始JSON字符串）
`HOOK_TOOL_INPUT_PARSED`	解析后的JSON（美化格式）
`HOOK_TOOL_OUTPUT`	工具输出（PostToolUse才有）
`HOOK_TOOL_IS_ERROR`	是否错误：`0` 或 `1`

权限模式

退出码	结果	说明
0	Allow	工具正常执行/继续
2	Deny	阻止工具执行
其他	Warn	显示警告但继续执行

配置文件格式

{
  "hooks": {
    "preToolUse": [
      "node ./hooks/validate-input.mjs",
      "echo 'PreHook: $HOOK_TOOL_NAME'"
    ],
    "postToolUse": [
      "node ./hooks/log-output.mjs"
    ]
  }
}

内置钩子示例

1. 日志钩子

# pre-log.sh
echo "[$(date)] Calling $HOOK_TOOL_NAME with $HOOK_TOOL_INPUT" >> hooks.log

2. 输入验证钩子

// validate-input.mjs
const input = JSON.parse(process.env.HOOK_TOOL_INPUT || '{}');
if (input.path?.includes('..')) {
  console.error('Path traversal detected');
  process.exit(2); // Deny
}
console.log('Input valid');
process.exit(0);

3. 敏感信息过滤钩子

// filter-secrets.mjs
const output = process.env.HOOK_TOOL_OUTPUT || '';
const filtered = output.replace(/sk-\w{32,}/g, '[REDACTED_API_KEY]');
console.log(filtered);
process.exit(0);

文件结构

hook-system/
├── SKILL.md              # 本文件
├── scripts/
│   ├── hook-runner.mjs   # 核心钩子运行器
│   └── hooks/
│       ├── pre-log.mjs   # 日志示例
│       ├── validate-path.mjs  # 路径验证
│       └── filter-secrets.mjs # 敏感信息过滤
└── references/
    └── hook-examples.md  # 更多示例

龙虾王子自我进化的成果 🦞

Usage Guidance

This hook system does what it says: it runs configured shell commands before and after tool calls. However, those hook commands are executed via a shell and inherit the agent's entire environment — so any secrets or API keys in environment variables can be read and exfiltrated by hooks, and hooks can run network or filesystem operations. Before installing: (1) only allow vetted hook scripts from trusted sources; (2) prefer running this skill in an isolated environment or container; (3) avoid placing credentials in the agent environment or patch the script to pass a minimal sanitized env to hooks (replace env: { ...process.env, ...env } with a curated env object); (4) review any HOOK_PRE/HOOK_POST values you set and the contents of hook scripts (especially anything that writes logs, reads files, or performs HTTP requests); (5) if you require stronger safety, refuse autonomous invocation or restrict the agent's ability to attach hooks. Because the source is unknown and the code exposes full environment to hooks, treat this skill as high-risk unless you control and inspect all hook commands.

Capability Analysis

Type: OpenClaw Skill Name: hook-system Version: 1.0.0 The skill implements a framework for executing arbitrary shell commands as 'hooks' before and after tool calls via `scripts/hook-runner.mjs`. While the `SKILL.md` documentation suggests benign use cases like logging and secret filtering, the core logic uses `child_process.spawn` to run commands defined in environment variables (`HOOK_PRE`, `HOOK_POST`), which facilitates arbitrary code execution. There is no evidence of intentional malice, but the lack of command sanitization or sandboxing makes it a high-risk utility.

Capability Assessment

✓ Purpose & Capability

Name/description match implementation: the script implements PreToolUse/PostToolUse hooks and runs configured commands before/after tool execution. The included examples (validation, logging, filtering) are consistent with the stated purpose.

⚠ Instruction Scope

SKILL.md and the script instruct running arbitrary shell commands as hooks. The documentation does not warn that hooks will inherit the process environment or can execute arbitrary network/file operations; the code spawns a shell for each hook, so hooks can read/write files, make network requests, or execute any command available to the runtime.

✓ Install Mechanism

No install spec (instruction-only) and a single supporting script file are provided; nothing is downloaded from external URLs or written by an installer, which reduces supply-chain risk. The code is included in the package so there is no hidden remote install step.

⚠ Credentials

The skill declares no required env vars, but runHookCommand invokes child processes with env: { ...process.env, ...env }, meaning hooks receive the entire parent environment (all secrets/keys). This gives hooks access to any credentials present in the agent environment despite no declared need — a disproportionate and under-documented privilege.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide modifications. The agent can invoke the skill autonomously (default behavior) but that alone is normal and not flagged here. The skill does allow arbitrary hooks which increases risk if the agent auto-invokes it, but there is no evidence it modifies other skills or system configs.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install hook-system
After installation, invoke the skill by name or use /hook-system
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of hook-system — a tool hook framework for injecting custom logic before and after tool execution. - Supports PreToolUse and PostToolUse hooks for input validation, logging, output modification, and more. - Allows hooks to modify inputs, block execution, or process outputs with exit codes. - Provides environment variables and configuration file examples for flexible customization. - Includes built-in example hooks for logging, input validation, and sensitive info filtering. - Requires Node.js 18 or newer.

Metadata

Slug hook-system

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Hook System?

工具钩子系统。在工具执行前后注入自定义逻辑，支持： - PreToolUse: 工具执行前调用，可修改输入或阻止执行 - PostToolUse: 工具执行后调用，可修改输出或记录日志当用户说"添加钩子"、"hook"、"拦截工具"、"工具前后处理"时触发。依赖：Node.js 18+. It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.

How do I install Hook System?

Run "/install hook-system" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hook System free?

Yes, Hook System is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Hook System support?

Hook System is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hook System?

It is built and maintained by xhmqq616 (@xhmqq616); the current version is v1.0.0.

More Skills