旺小宝
WarnAudited by ClawScan on May 14, 2026.
Overview
The plugin is coherent for Wangxiaobao OAuth and data syncing, but it grants broad read/write account authority through a generic API tool and stores/reads sensitive local state in ways users should review.
Install only if you trust this publisher and are comfortable granting Wangxiaobao read/write OAuth access. Prefer registering the tools for one agent rather than all agents, avoid using the generic xiaobao_api tool for mutations without explicit review, keep the generated wiki private, and consider moving the sync cursor out of .env before running audio-wiki sync.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After authorization, an allowed agent could potentially create, modify, or delete Wangxiaobao account data through raw API calls, not just perform the documented read-only queries.
The plugin exposes a generic API caller with mutating methods and arbitrary relative paths, instead of limiting the agent to the safer typed read/query tools.
`xiaobao_api` ... method `"GET"|"POST"|"PUT"|"PATCH"|"DELETE"` ... `path` `string` ... `body` ... `headers`
Disable or restrict xiaobao_api by default, add method/path allowlists, and require explicit user confirmation for POST/PUT/PATCH/DELETE requests.
Authorizing the plugin may give it broader Wangxiaobao account permissions than a user expects for audio/customer lookup workflows.
The default OAuth scope includes write authority even though most bundled skills are described as querying, syncing, or local wiki generation.
"scopes": { "default": "openid profile read write" }Use least-privilege scopes by default, separate read-only and write-capable modes, and clearly prompt users before requesting write access.
Other parties may be able to impersonate the same OAuth client identity, increasing account-authorization and trust risks.
A packaged OAuth client secret is exposed in the distributed JavaScript artifact, so it should not be treated as a confidential secret.
const DEFAULT_CLIENT_SECRET = "[REDACTED]";
Treat this as a public client, remove the client secret from distributed code if possible, rotate the exposed secret, or move confidential client credentials to protected server-side infrastructure.
If agent identity is unavailable on some invocation path, one agent may use a globally shared Wangxiaobao login rather than an isolated per-agent token.
The documented fallback can move OAuth token use from per-agent workspace storage to a global token file.
**fallback**:若 hook 拿不到 agentId ... 插件回退到 全局路径 `~/.openclaw/state/wangxiaobao/token.json`。
Fail closed when agent identity is missing, or require an explicit user opt-in for global token fallback and make it visible in metadata.
API keys or other secrets in the same .env file could enter the agent context or be accidentally changed while updating the sync cursor.
The skill tells the agent to read and edit the project .env file to manage a cursor, which may expose unrelated local credentials stored in that file.
第 5 步:推进游标 ... Read `./.env` ... Edit 替换 `WB_SYNC_CURSOR=...` 行;没有就追加 ... **保留** `.env` 其他 key
Store the sync cursor in a dedicated non-secret state file, or require explicit user approval before reading/editing .env.
Customer conversations, sales notes, and derived profiles may remain on disk and be reused in future agent sessions.
The skill intentionally persists audio transcripts and derived customer/sales knowledge into a local wiki for later reuse.
逐条取文本 → 按 项目 / 顾问 / 日期 / 录音 分层写 wiki ... ingest 提炼为 ... 顾问画像 / 客户 / 话题 / 话术
Run this only in a trusted workspace, keep the wiki private, review files before sharing or syncing them, and delete local wiki content when it is no longer needed.
Using --all-agents expands the set of agents that can invoke Wangxiaobao tools after installation.
The helper can add this plugin's tools to every configured agent's alsoAllow list by modifying openclaw.json.
if (flags.allAgents) { targets = allAgents; } ... writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n', 'utf8');Prefer registering only the specific agent that needs Wangxiaobao access, and use the provided unregister or dry-run options to audit changes.