Yuqing Data To Bitable
ReviewAudited by ClawScan on May 18, 2026.
Overview
This looks like a real XiaoAi-to-Feishu sync skill, but it uses powerful Feishu/XiaoAi credentials and documents a recurring cron sync without those permissions being clearly declared.
Review this skill before installing: confirm the real entrypoint, use least-privileged Feishu/XiaoAi credentials, run it manually against a test Bitable first, check whether a cron job is installed, and restrict access to the .env, logs, and .cache files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running this skill may require giving it credentials that can read from XiaoAi and write to Feishu Bitable.
The skill requires sensitive Feishu app credentials and a XiaoAi API token, while the registry metadata declares no required env vars or primary credential.
parser.add_argument("--app_secret", ... required=True ...); parser.add_argument("--xiaoai_token", ... required=True ...)Use a least-privileged Feishu app, confirm the exact Bitable scopes, avoid sharing long-lived secrets, and require the skill metadata to declare these credentials clearly.
The sync may continue running in the background and keep modifying the target Feishu table after initial setup.
The documentation describes a persistent scheduled job that repeatedly runs the sync from an OpenClaw workspace path, but the install metadata does not declare a persistence mechanism.
已配置 cron,每 10 分钟执行一次: */10 * * * * /home/admin/.openclaw/workspace/skills/yuqing-data-to-bitable/sync.sh
Inspect the user's crontab before and after installation, disable the schedule unless explicitly desired, and run the sync manually first against a test table.
The target Bitable's structure and records may be changed automatically.
The skill can create fields in the target Feishu Bitable, which is aligned with its stated field-mapping purpose but is a schema-changing action.
url = f"https://open.feishu.cn/open-apis/bitable/v1/apps/{app_token}/tables/{table_id}/fields" ... resp = session.post(url, headers=headers, json=payload, timeout=10)Point the skill only at the intended Bitable, back up important tables, and test with a non-production table before enabling scheduled sync.
Anyone with access to the skill directory may be able to read a cached Feishu access token while it is valid.
The skill stores a Feishu tenant access token on disk in a local cache for reuse.
TOKEN_CACHE_FILE = os.path.join(CACHE_DIR, 'tenant_token.json') ... json.dump({'token': data["tenant_access_token"], 'timestamp': time.time()}, f)Keep the skill directory private, restrict permissions on .env and .cache, and clear the cache when rotating or revoking credentials.
The skill may fail to run as declared, or users may run a different file than the SKILL.md suggests.
The declared entrypoint references a file that is not present in the provided manifest, while other runnable files such as main.py are included.
entrypoint:
command: "python"
args:
- "xiaoai_to_bitable_skill.py"Ask the publisher to fix the entrypoint and provide complete, consistent runtime documentation before relying on the skill.