※ This is Part 3 of an ongoing series about unexpected credit consumption in Genspark Claw. If you’re coming in fresh, here’s the quick background — and if you’ve read the earlier posts, feel free to skip ahead.
Genspark’s Claw feature comes with an optional “Cloud Computer” — a Linux virtual machine that keeps running in the background even after you close your browser. When something goes wrong inside it, it can call the AI (LLM) repeatedly without you noticing, burning through credits at an alarming rate. Part 1 identified the cause. Part 2 brought a 97% reduction in consumption. And then it came back.
· Part 1: Genspark Claw Was Silently Draining My Credits — Here’s What I Found
· Part 2: How I Cut Genspark Claw Credit Consumption by 97%
One more thing worth mentioning up front: around this time, I stopped purchasing additional Genspark credits altogether (more on that in a separate post). With no way to top up the balance, stopping wasteful consumption stopped being a nice-to-have and became genuinely urgent.
When I realized it had started again
Contents
By early April, credit consumption had dropped to nearly zero and stayed there for several days. I assumed the problem was behind me. The fixes from Part 2 — stopping the gateway process, clearing the delivery queue, and cleaning up the cron schedule — had worked. What I hadn’t done was fix the underlying cause. I’d just stopped the bleeding. When I restarted the gateway for normal use, the conditions for the same failure were still in place.
On April 10th, I noticed that over the course of a few hours in the afternoon, more than 800 credits had disappeared. The consumption rate was visibly higher than what I’d flagged in Part 2. The same problem had returned, and it was worse.
The short version
If you’re short on time, here’s what this post covers:
- The same authentication loop bug came back — but this time I found the actual root cause inside the source code, not just the symptoms
- Claw diagnosed its own bug by reading its plugin source code, wrote a fix, and restarted itself — without me directing it to do so
- Even after that fix, credits kept draining — because of a separate issue hiding in a file called HEARTBEAT.md
- There’s a meaningful cost difference between typing into Claw’s chat window versus typing directly into the terminal — and I learned this the hard way
- I set up a watchdog script that automatically stops the gateway if the auth loop ever returns
This time vs. last time
The error message was identical to Part 2. But the way I handled it — and who actually handled it — was completely different.
| Item | Part 2 (early April) | Part 3 (April 10) |
|---|---|---|
| Consumption rate | ~2,100 credits/day | ~3,800 credits/day (estimated) |
| Error | Auth loop: “auth is not defined” | Same root cause |
| Approach | Stop it (kill gateway, clear queue, reset cron) | Fix it (patch the source code bug) |
| Who fixed it | Me, via terminal commands | Claw itself, autonomously |
| Prevention | None | Watchdog script + source backup |
| Auto-update schedule | Changed to weekly | Had reverted to daily (overwritten by update) |
The investigation: four steps
Step 1: Check what’s running
First, I checked which processes were active in the Cloud Computer terminal.
ps aux | grep -E "openclaw|claw|genspark" | grep -v grepThree processes were running: openclaw-gateway, wp-bridge, and websockify. Nothing looked obviously wrong. What I found interesting was that Claw read this output on its own and asked me: “Did something happen that made you want to check?” Claw can monitor its own process state through the terminal — it’s not just waiting for instructions.
Step 2: Read the error logs
Next, I pulled the gateway logs from earlier that afternoon.
journalctl --user -u openclaw-gateway --since "2026-04-10 12:00" | grep -E "error|restart|failed|auth|retry|genspark-im" | tail -50The output was exactly what I’d seen in Part 2:
[genspark-im] channel exited: auth is not defined
[genspark-im] auto-restart attempt 1/10 in 5sEvery time the “auth is not defined” error appeared, the system would wait — 5 seconds, then 11, then 20, then 42 — and try again, up to 10 times. Each retry called the LLM. Each call consumed credits. There was also a new error this time:
outboundState already populated by another account — multi-account is NOT supportedIn Part 2, I had assumed the problem was an expired authentication token. This time, the investigation went deeper.
Step 3: Claw finds its own bug — and patches it
This is the part I found most striking. I didn’t point Claw toward the source code or tell it to look for a bug. It did this on its own.
Claw first verified that the GSK authentication token itself was valid. It was. So the problem wasn’t a bad token — it was something in the code that was handling the token incorrectly. Claw then opened its own plugin source file (/home/work/.openclaw/workspace/plugins/genspark-im/src/index.ts) and read through it.
What it found was a classic JavaScript variable scope bug. In simple terms: a variable called auth was being referenced inside a function called runMonitor, but auth only existed inside a different function called refreshToken(). By the time runMonitor tried to use it, auth hadn’t been defined yet — so every run threw an error, triggered a retry, called the LLM, and consumed credits.
Claw fixed this by moving the reference to auth to after the first successful call to refreshToken(), adding a firstAuth flag to control the timing. It then attempted a hot reload (SIGUSR1), found that didn’t work for TypeScript plugins, and did a full restart instead. After the restart, the logs showed: Authenticated: chat_id=.... The fix held.
A tool that can read its own source code, identify a bug, write a patch, and restart itself is doing something qualitatively different from a chatbot answering questions. Terminal access makes that possible. Without it, none of this could have happened.
Step 4: Check the queue and schedule
The delivery queue was empty — no stuck messages from the messaging app integration. The four scheduled jobs in jobs.json (study progress reminders and project reviews) were all intentional and not yet due. The system-level auto-update cron, however, had quietly reverted from weekly back to daily — likely overwritten by a Genspark CLI update. Same pattern as Part 2.
Chat window vs. terminal: where you type changes what you pay
While setting up the watchdog script (more on that below), I made a mistake that turned into a useful lesson. I pasted the script contents into Claw’s chat window instead of directly into the terminal. Claw interpreted it as a task instruction, called the LLM to process it, and consumed credits — probably a few dozen.
If I had pasted the same content directly into the terminal, Linux would have executed it locally as a shell command. Zero credits consumed.
The rule of thumb: if you want the AI to think about something, use the chat window. If you want the computer to just run something, use the terminal. Any time you paste into the chat window, the LLM activates.
| What you’re doing | Where to type | Credit cost |
|---|---|---|
| “Summarize this,” “Help me plan X,” any AI task | Chat window | Costs credits (LLM runs) |
| Running a script, editing a file, copying a file | Terminal | Zero (Linux handles it locally) |
| “Please paste this script into the terminal for me” | Chat window | Costs credits (Claw interprets and acts) |
Prevention: what I added this time
Watchdog script
To stop the auth loop automatically if it ever returns, I set up a watchdog script directly in the terminal — not via chat.
#!/bin/bash
# /home/work/.openclaw/watchdog.sh
ERROR_COUNT=$(journalctl --user -u openclaw-gateway --since "1 hour ago" 2>/dev/null | grep -c "auth is not defined")
if [ "$ERROR_COUNT" -gt 5 ]; then
systemctl --user stop openclaw-gateway
echo "$(date): gateway stopped due to auth loop ($ERROR_COUNT errors in 1h)" >> /home/work/.openclaw/watchdog.log
fiThis script uses only standard Linux commands — no AI, no LLM, no Genspark API. Running it costs zero credits. I added it to the user crontab to run every 15 minutes. If the auth loop returns, the gateway gets stopped within 15 minutes, capping the damage at roughly 40 credits.
Backing up the patched source file
Since Claw modified the TypeScript source directly (there’s no pre-compiled .js file — the source is what runs), I saved a backup of the patched file.
cp /home/work/.openclaw/workspace/plugins/genspark-im/src/index.ts \
/home/work/.openclaw/index.ts.patched.bakIf a Genspark CLI update overwrites the fix, this backup makes it possible to diff the files and re-apply the patch rather than starting from scratch.
The second drain: HEARTBEAT.md
After the source code fix, I checked the credit balance again that evening and found consumption was still happening — around 130 credits per hour. The error logs were clean. No scheduled jobs were running. Something else was calling the LLM.
A service called openclaw-browser.service (Chromium) showed up in the active services list — something I hadn’t seen before. I checked its logs: empty. Its config showed it was just a script to launch a browser on a virtual display. No LLM involvement.
Then I looked at HEARTBEAT.md. This file is read by Claw on a regular cycle. The file’s own header says it plainly: if it contains tasks, the API gets called. If it’s empty (or contains only comments), it gets skipped.
When I opened it, I found a long list of scheduled dates for study progress reminders — entries I had set up earlier and forgotten to remove when I moved to jobs.json for schedule management. Not a bug. Just a leftover I hadn’t noticed. Every time Claw read that file, it called the LLM to process the contents.
I cleared it from the terminal:
cat > /home/work/.openclaw/workspace/HEARTBEAT.md << 'EOF'
# HEARTBEAT.md
# Keep this file empty (or with only comments) to skip heartbeat API calls.
# Scheduled jobs are managed via cron/jobs.json
EOFAbout 40 minutes later, consumption had dropped to zero. The four jobs in jobs.json were unaffected and still scheduled as intended.
If you’re using Claw with Cloud Computer and have set up scheduled tasks: HEARTBEAT.md and jobs.json serve overlapping purposes, but they work differently. HEARTBEAT.md calls the LLM every time it’s read, regardless of schedule. jobs.json only triggers at the specified time. If you’ve migrated to jobs.json, clear out HEARTBEAT.md.
A note on the OS restart prompt
The Cloud Computer login screen was showing a “System restart required” message. I held off on restarting until I could confirm the fixes were holding — checking the credit balance the next morning first, then restarting and verifying the gateway came back up cleanly with systemctl --user status openclaw-gateway.
FAQ
Q. Does it matter whether I type into the chat window or the terminal?
A. Yes, significantly — in terms of credit cost. Anything you type into the chat window gets processed by the LLM, which costs credits. Anything you type directly into the terminal is executed locally by Linux, which costs nothing. For setup tasks, file edits, and script installations, use the terminal.
Q. Does the watchdog script itself consume credits?
A. No. It uses only standard Linux commands (journalctl, grep, systemctl) and never calls Genspark’s AI. Running every 15 minutes costs zero credits.
Q. What’s the difference between HEARTBEAT.md and jobs.json?
A. Both can be used to give Claw recurring tasks, but they work differently. HEARTBEAT.md is read on a regular cycle — if it contains tasks, the LLM is called immediately each time. jobs.json stores time-specific scheduled jobs that only run at the specified date and time. If you’re using jobs.json for scheduling, keep HEARTBEAT.md empty (comments only) to avoid unintended LLM calls.
Q. What should I check if credits are still draining after fixing the auth loop?
A. Start with HEARTBEAT.md (cat /home/work/.openclaw/workspace/HEARTBEAT.md) — check whether it contains any task entries. Then check running services (systemctl --user list-units --type=service --state=running) for anything unexpected. If neither turns up the cause, pull recent gateway logs: journalctl --user -u openclaw-gateway --since "today" | grep -E "error|restart|failed|auth" | tail -30.
From “stop it” to “fix it” to “stop it automatically”
Looking back across all three posts, each one represents a different level of response to the same underlying problem. Part 1: identify the cause. Part 2: stop the bleeding (97% reduction). Part 3: fix the actual bug, patch the second drain, and build a system that catches it automatically if it ever returns.
What made Part 3 different wasn’t just the outcome — it was that Claw did the hardest part itself. I didn’t write the patch. I didn’t tell Claw where to look. It read its own source code, found the scope error, fixed it, and confirmed the fix. That kind of autonomous debugging is only possible because Cloud Computer gives Claw real terminal access to its own environment.
That said, the underlying platform problem hasn’t changed. Genspark still doesn’t provide a credit consumption API, per-action usage history, automatic error detection, or UI-to-server setting sync. Without those, users are left running their own watchdog scripts and manually auditing HEARTBEAT.md. A credit consumption API in particular would make it possible to build a genuinely accurate monitor — right now the watchdog is proxying credit drain through error log frequency, which works, but isn’t the same thing.
A separate post will cover my decision to stop purchasing additional Genspark credits entirely — and what that means for how I’m using the tool going forward.
※ AI tools (Claude) were used in the research and writing of this article.
Hiroshi is a Tokyo-based project manager specialising in international operations within the global MedTech company. Originally from Hokkaido, he holds a postgraduate degree in international relations — including study periods in the United States and Sweden — and has lived and worked across Malaysia, Switzerland, China, and the Philippines.
Beyond his industry career, he served as Manager for the 23rd World Scout Jamboree in 2015, where he managed liaison with delegations from over 150 countries, coordinated with the World Organisation of the Scout Movement (WOSM), and led on-site risk response. He has also contributed to disaster relief efforts following the Great East Japan Earthquake and other natural disasters across Japan.
This blog covers travel, productivity, technology, and global careers — written as a way of thinking through ideas and consolidating what he learns along the way.
Discover more from hiroshi.today
Subscribe to get the latest posts sent to your email.