claw-lark Patches
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script changes installed claw-lark runtime files, so the gateway may behave differently after restart.
The quick-apply script executes embedded Node.js code and writes patched JavaScript back into the claw-lark plugin files. This is disclosed and central to the skill's purpose, but it is still local code-modification authority.
node << 'PATCH_EOF' ... fs.writeFileSync(path, content);
Run the script only when you intend to patch claw-lark, review the script first, and keep a way to restore the plugin by reinstalling or backing up the original files.
After patching, outbound Lark sends, reactions, and media operations may use the default configured Lark account where they previously failed.
The documented patch changes outbound methods to resolve and use the configured default Lark account when an account is not passed directly. This is purpose-aligned for fixing claw-lark messaging, but it affects which delegated Lark account is used.
const account = args.account ?? resolveAccount(args.cfg, args.accountId ?? "default");
Confirm the configured claw-lark default account has the intended workspace permissions and that only trusted users or workflows can trigger outbound Lark actions.
Users have less external provenance information and may not realize the quick-apply script depends on Node being available.
The registry metadata does not provide provenance or declare the Node runtime used by the included patch script. This is not evidence of malicious behavior, but it is useful context for a script that modifies installed plugin code.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Inspect the included script before running it and verify it comes from a source you trust.