claw-lark Patches
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is transparent about patching claw-lark plugin files, but users should only run it intentionally because it changes installed OpenClaw extension behavior.
This skill appears coherent and purpose-aligned, but it directly edits installed claw-lark plugin files. Before running it, review the patch script, make sure the target path is correct, set BOT_OPEN_ID and BOT_NAME carefully if needed, and be prepared to reinstall or restore claw-lark if the patched behavior is not what you want.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script changes installed claw-lark runtime files, so the gateway may behave differently after restart.
The quick-apply script executes embedded Node.js code and writes patched JavaScript back into the claw-lark plugin files. This is disclosed and central to the skill's purpose, but it is still local code-modification authority.
node << 'PATCH_EOF' ... fs.writeFileSync(path, content);
Run the script only when you intend to patch claw-lark, review the script first, and keep a way to restore the plugin by reinstalling or backing up the original files.
After patching, outbound Lark sends, reactions, and media operations may use the default configured Lark account where they previously failed.
The documented patch changes outbound methods to resolve and use the configured default Lark account when an account is not passed directly. This is purpose-aligned for fixing claw-lark messaging, but it affects which delegated Lark account is used.
const account = args.account ?? resolveAccount(args.cfg, args.accountId ?? "default");
Confirm the configured claw-lark default account has the intended workspace permissions and that only trusted users or workflows can trigger outbound Lark actions.
Users have less external provenance information and may not realize the quick-apply script depends on Node being available.
The registry metadata does not provide provenance or declare the Node runtime used by the included patch script. This is not evidence of malicious behavior, but it is useful context for a script that modifies installed plugin code.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Inspect the included script before running it and verify it comes from a source you trust.