旺小宝

Package: @puyinkai/openclaw-xiaobao (npm) Version: 0.1.17 Description: OpenClaw plugin for 旺小宝 (wangxiaobao) — bundles auth / audio-sync / switch-project skills with shared OAuth device flow and token store The package is an OpenClaw plugin providing tools for interacting with the Wangxiaobao service API using OAuth 2.0 Device Authorization Grant. The implementation correctly handles sensitive operations: 1. **Authentication:** Uses hardcoded application credentials (client ID/secret) for the OAuth flow directed exclusively to the specified `wangxiaobao.com` domains (or configurable endpoints). 2. **Storage:** User tokens are stored securely in the agent's workspace directory (`<workspaceDir>/.state/wangxiaobao/token.json`) with strict permissions (0600), ensuring per-agent isolation. Global project state (`active-project.json`) is stored similarly under `~/.openclaw/state`. 3. **Functionality:** The tools encapsulate standard CRUD operations against the expected external API endpoints. There is no evidence of arbitrary code execution, unauthorized network access outside configured endpoints, or suspicious file system manipulation. The file operations are confined to the necessary OpenClaw state directories for persistent configuration. The logic is standard for a secure, proprietary service integration plugin.