Skillv1.2.4

ClawScan security

Foxcode OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 11:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (configure Foxcode endpoints in OpenClaw) but contains internal inconsistencies about where API keys are stored and how configuration is validated; that mismatch and some opaque affiliate behavior warrant caution.
Guidance: This skill is plausible for configuring Foxcode in OpenClaw, but exercise caution before running it: - Review the scripts first. The wizard will modify ~/.openclaw/openclaw.json and ~/.openclaw/agents/main/agent/auth-profiles.json and may write your API token. Confirm exactly where the token will be stored. - The code is inconsistent: configure_foxcode.py says API keys go in auth-profiles.json, while validate_config.py expects an apiKey inside openclaw.json (or ${FOXCODE_API_TOKEN}). That mismatch can lead to secrets being placed in the wrong file or validation failures. Ask the author to clarify or patch the scripts so they agree on a single secure storage location. - Back up ~/.openclaw (as the README/skill already warns) and verify file permissions (chmod 600) after the change. Use a throwaway/limited-scope token if possible when testing. - Affiliate/redirect domains (rjj.cc) are used for registration and status pages; this is likely monetization but double-check links before visiting and prefer direct provider pages if you have them. - If you are not comfortable inspecting or running Python scripts, decline installation or run them in an isolated environment (container or VM). If the author can provide a short changelog or a signed release and update the registry metadata (declare FOXCODE_API_TOKEN if it's required/expected), that would raise confidence. Confidence is medium: findings look like sloppy/inconsistent engineering rather than deliberate exfiltration, but the secret-storage inconsistencies justify labeling this 'suspicious' until clarified.

Review Dimensions

Purpose & Capability: noteName/description align with the code: scripts configure endpoints, select models, validate config, and check endpoint status. Requiring access to ~/.openclaw files and network access is coherent with its purpose. Minor mismatch: registry metadata lists no required env vars but the docs/scripts reference FOXCODE_API_TOKEN as an option.
Instruction Scope: concernSKILL.md and README explicitly instruct the tool to modify critical OpenClaw files (~/.openclaw/openclaw.json and ~/.openclaw/agents/main/agent/auth-profiles.json) and to save API keys. That's expected for a configurator, but the materials and scripts disagree on the canonical location for the API token: configure_foxcode.py states the apiKey is stored in auth-profiles.json and omits apiKey from openclaw.json, while validate_config.py requires an apiKey field inside the foxcode provider in openclaw.json (and will also accept env var references). This inconsistency grants the tool broad discretion over where secrets are placed and could lead to accidentally writing tokens to less-secure files.
Install Mechanism: okNo install spec; the skill is instruction-only and ships Python scripts. No remote downloads or installers are executed automatically by the platform. This is lower risk than arbitrary installers, but running the provided scripts will perform file writes and network calls.
Credentials: concernRegistry metadata lists no required env vars, but references to FOXCODE_API_TOKEN appear in docs and references/openclaw-config.md, and validate_config.py can interpret ${FOXCODE_API_TOKEN}. The skill will prompt for and store an API token; because scripts disagree about where the token should live (auth-profiles.json vs openclaw.json) there is risk of storing secrets in different locations or in config files that may be world-readable unless the user enforces permissions. No other unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges. It modifies user OpenClaw config files (its stated purpose) but does not alter other skills or request global agent settings.