OpenClaw Feishu Quota Guard
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private documents, logs, or token values could be copied into the agent conversation or logs during troubleshooting.
When no scan root is supplied, the script searches broad personal folders and prints full matching lines, including credential-like Feishu verification-token lines, into command output without redaction.
home / "Documents", home / "Downloads" ... "verificationToken" ... hits.append("{}:{}:{}".format(path, lineno, line.strip()))Run the scanner only with an explicit OpenClaw workspace/config path, remove Documents/Downloads from default roots, and redact token values before printing matches.
Heartbeat behavior may change or be disabled, affecting how OpenClaw runs in the future.
The bundled fixer persistently edits the OpenClaw config after creating a backup; this is aligned with the quota-reduction purpose but is still a local agent-behavior change.
set_value("every", "1h") ... backup = backup_file(config_path) ... json.dump(data, f, ensure_ascii=True, indent=2)Use the documented --dry-run first, confirm the target config path, keep the backup, and approve non-dry-run changes explicitly.
Users may think this is purely instructional or dependency-free when practical use requires local script execution and Python/OpenClaw tooling.
The package ships runnable Python/shell helpers, while registry metadata does not declare runtime requirements or an install mechanism; the behavior is documented, but the metadata understates what users will run.
Required binaries ... none ... No install spec — this is an instruction-only skill. Code file presence: 6 code file(s)
Declare Python/OpenClaw/shell requirements and align package metadata with the shipped helper scripts.