OpenClaw installation: missing hooks in package.json

[PinkZanny]

Bug Description

When trying to install the plugin, the installation fails due to openclaw.hooks not being configured in package.json file.

Note that the installation security block can be bypassed by:
openclaw plugins install @vectorize-io/hindsight-openclaw --dangerously-force-unsafe-install

Steps to Reproduce

1. Install OpenClaw
2. Attempt installation of hindsight plugin: openclaw plugins install @vectorize-io/hindsight-openclaw
3. Failure.
4. Attempt forced installation of hindsight: openclaw plugins install @vectorize-io/hindsight-openclaw --dangerously-force-unsafe-install

Expected Behavior

The plugin should install.

Actual Behavior

Plugin doesn't install:

OpenClaw 2026.3.31 (213a704) — I can't fix your code taste, but I can fix your build and your backlog. Resolving clawhub:@vectorize-io/hindsight-openclaw… Downloading @vectorize-io/hindsight-openclaw… Extracting /tmp/openclaw-npm-pack-dM7IZc/vectorize-io-hindsight-openclaw-0.5.1.tgz… WARNING: Plugin "hindsight-openclaw" contains dangerous code patterns: Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-JjJINk/extract/package/dist/index.js:77); Shell command execution detected (child_process) (/tmp/openclaw-plugin-JjJINk/extract/package/dist/client.js:11); Shell command execution detected (child_process) (/tmp/openclaw-plugin-JjJINk/extract/package/dist/embed-manager.js:72); Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-JjJINk/extract/package/dist/embed-manager.js:50) Downloading @vectorize-io/hindsight-openclaw… Extracting /tmp/openclaw-hook-pack-RNPuIi/vectorize-io-hindsight-openclaw-0.5.1.tgz… Plugin "hindsight-openclaw" installation blocked: dangerous code patterns detected: Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-JjJINk/extract/package/dist/index.js:77); Shell command execution detected (child_process) (/tmp/openclaw-plugin-JjJINk/extract/package/dist/client.js:11); Shell command execution detected (child_process) (/tmp/openclaw-plugin-JjJINk/extract/package/dist/embed-manager.js:72); Environment variable access combined with network send — possible credential harvesting (/tmp/openclaw-plugin-JjJINk/extract/package/dist/embed-manager.js:50) Also not a valid hook pack: Error: package.json missing openclaw.hooks

Version

No response

LLM Provider

None

[nicoloboschi]

Apparently this is a problem with latest changes on OpenClaw (2026.3.31) with 2026.3.23 all works correctly

[nicoloboschi]

@PinkZanny I'm investigating, will likely cut a release tomorrow

[nicoloboschi]

Thanks for reporting this @PinkZanny!

We investigated this thoroughly. Here's what's happening:

Root Cause

This is actually two bugs in OpenClaw 2026.3.31, not in our plugin:

Bug 1: Security scan blocks legitimate plugins with no workaround via npm install

Our plugin legitimately needs to:

• Read environment variables (API keys) and make network requests (to Hindsight API)
• Spawn child processes (to manage the hindsight-embed daemon)

OpenClaw's security scanner flags these as "dangerous code patterns" and blocks the install. This is a change from earlier versions (e.g., 2026.3.23) which only showed a WARNING but allowed the install to proceed.

Bug 2: --dangerously-force-unsafe-install flag is silently dropped for npm installs

We traced through the OpenClaw source and found that the force flag works correctly for local path installs, but is not propagated when installing from npm. Specifically:

• installPluginFromNpmSpec() passes archiveInstallParams to the internal installer but omits dangerouslyForceUnsafeInstall from that object
• installPluginFromArchive() also doesn't forward dangerouslyForceUnsafeInstall to pickPackageInstallCommonParams()

This means --dangerously-force-unsafe-install has zero effect when installing via openclaw plugins install @vectorize-io/hindsight-openclaw. This is an OpenClaw bug that should be reported upstream.

The "hook pack" error (package.json missing openclaw.hooks) is a red herring — after the plugin install fails, OpenClaw falls back to trying to load the package as a "hook pack" (a different plugin format), which we aren't and shouldn't be.

Workaround

Until the OpenClaw bug is fixed, you can install from a local path instead:

# Clone and build
git clone https://github.com/vectorize-io/hindsight.git
cd hindsight/hindsight-integrations/openclaw
npm install && npm run build

# Install from local path (force flag works for local installs)
openclaw plugins install . --dangerously-force-unsafe-install

Or use the included install script which bypasses the plugin installer entirely:

cd hindsight/hindsight-integrations/openclaw
bash install.sh
openclaw plugins enable hindsight-openclaw

We'd recommend also filing a bug on the OpenClaw repo about the --dangerously-force-unsafe-install flag not working for npm spec installs.

[PinkZanny]

Thanks @nicoloboschi, I'll close the issue now.

I'll try the workaround and come back to you. I'm going to open the issue also on oc's side.