Foxcode OpenClaw

This skill is plausible for configuring Foxcode in OpenClaw, but exercise caution before running it: - Review the scripts first. The wizard will modify ~/.openclaw/openclaw.json and ~/.openclaw/agents/main/agent/auth-profiles.json and may write your API token. Confirm exactly where the token will be stored. - The code is inconsistent: configure_foxcode.py says API keys go in auth-profiles.json, while validate_config.py expects an apiKey inside openclaw.json (or ${FOXCODE_API_TOKEN}). That mismatch can lead to secrets being placed in the wrong file or validation failures. Ask the author to clarify or patch the scripts so they agree on a single secure storage location. - Back up ~/.openclaw (as the README/skill already warns) and verify file permissions (chmod 600) after the change. Use a throwaway/limited-scope token if possible when testing. - Affiliate/redirect domains (rjj.cc) are used for registration and status pages; this is likely monetization but double-check links before visiting and prefer direct provider pages if you have them. - If you are not comfortable inspecting or running Python scripts, decline installation or run them in an isolated environment (container or VM). If the author can provide a short changelog or a signed release and update the registry metadata (declare FOXCODE_API_TOKEN if it's required/expected), that would raise confidence. Confidence is medium: findings look like sloppy/inconsistent engineering rather than deliberate exfiltration, but the secret-storage inconsistencies justify labeling this 'suspicious' until clarified.