Skip to main content
Use Skills hooks when tool calls are backed by versioned skills and you need policy enforcement on skill drift or scan outcomes.

OpenClaw Hook Wiring

sec0-sdk/integrations/openclaw exposes Skills hooks through createMoltbotHooks. 
const { createMoltbotHooks } = require("sec0-sdk/integrations/openclaw");

const hooks = createMoltbotHooks({
  // ...base config...
  mode: "enforce",
  skills: {
    enabled: true,
    resolve: ({ toolName, params }) => {
      // Return the active skill backing this tool call.
      // This can come from params, your registry, or workspace metadata.
      return params?.skill || null;
    },
    onScan: async ({ skill, skillRef, revisionRef }) => {
      // Run your scanner(s) and normalize to Sec0's finding shape.
      return {
        status: "pass",
        findings: [],
        scanId: `${skillRef}:${revisionRef}`,
      };
    },
    scanOnChangeOnly: true,
    blockOnChange: true,
    blockOnSeverity: "high",
  },
});

Skills Hook Contract

skills.resolve

skills.resolve(ctx) should return the active skill reference for the invocation (or null if no skill is active).

skills.onScan

skills.onScan({ skill, skillRef, revisionRef }) should return: 
type SkillScanResult = {
  status: "pass" | "fail" | "pending";
  findings?: Array<{
    code?: string;
    title?: string;
    severity?: "low" | "medium" | "high" | "critical";
    message?: string;
  }>;
  scanId?: string;
  raw?: unknown;
};

Policy Enforcement & Escalation

Use policy enforcement.deny_on and enforcement.escalate_on with the Skills reasons:
  • skill_version_changed
  • skill_code_changed
  • skill_scan_pending
  • skill_scan_failed
security:
  side_effects:
    approve_high_risk: true
enforcement:
  deny_on:
    - skill_scan_failed
  escalate_on:
    - skill_scan_failed
    - skill_code_changed
See the full schema in Policy Schema Reference.