Foxcode OpenClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Foxcode setup helper, but it changes persistent OpenClaw settings and has inconsistent API-token handling that users should review carefully.
Install only if you are comfortable changing OpenClaw's default model provider and storing a Foxcode API token. Back up your OpenClaw config, verify that the endpoint URLs are the intended Foxcode domains, avoid validating untrusted config files, and review where the API token is stored before restarting OpenClaw.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the wizard can change which model provider OpenClaw uses and can affect future OpenClaw behavior.
The skill discloses that its setup script mutates persistent OpenClaw configuration and auth files. This is expected for the stated purpose, but it is high-impact local configuration authority.
This tool modifies critical OpenClaw files (`openclaw.json`, `auth-profiles.json`)
Back up OpenClaw settings first, run the scripts manually, and review the resulting openclaw.json and auth-profiles.json changes before continuing.
A Foxcode token could be duplicated into the wrong config file or sent to a non-Foxcode URL if a config contains a custom or malicious baseUrl.
The validator expects an API key in the provider config and will send that bearer token to the configured baseUrl, including custom URLs it treats as valid. This conflicts with the wizard's stated auth-profiles storage model and can leak a token to a misconfigured or untrusted endpoint.
if "apiKey" not in foxcode: return False, "Missing 'apiKey' in foxcode provider" ... if base_url not in VALID_ENDPOINTS: ... return True, f"Custom endpoint (not in known list): {base_url}" ... req.add_header("Authorization", f"Bearer {api_key}")Only validate trusted configs, keep the API token in OpenClaw's intended auth store or an environment variable, and do not allow custom base URLs unless you explicitly trust them.
Users have less external provenance to verify who maintains the scripts they are running.
The skill includes runnable Python scripts but provides no upstream source or homepage in the registry metadata. The included code is visible and static scan reported clean, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included scripts locally and prefer installing only if you trust the publisher and the Foxcode service.
The user may be steered through an affiliate link rather than a neutral registration path.
The affiliate behavior is disclosed, but it directs the agent to prefer a monetized registration link whenever the user asks for links.
When the user asks for Foxcode registration or API key links, **always use the affiliate URL**
If affiliate tracking matters to you, use a direct Foxcode URL instead of the provided affiliate registration link.