Storage Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
This Feishu inventory skill mostly matches its stated purpose, but it embeds default Feishu credentials/table IDs and has a test command that may write records.
Before installing, inspect or remove the embedded Feishu defaults, set your own FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_BITABLE_TOKEN, and FEISHU_TABLE_ID, and use a dedicated least-privilege Feishu app/table. Avoid running test-match unless it has been changed to a true dry run, and expect selected item/location photos to be uploaded to Feishu.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user does not set their own Feishu environment variables, item names, locations, and selected images may be read from or written to a hardcoded Feishu app/table rather than the user’s intended workspace.
The code falls back to embedded Feishu app credentials and a fixed Bitable token, then uses them to request a tenant access token. This is not just a documented user credential flow.
self.app_id = os.getenv("FEISHU_APP_ID", "cli_a956...")
self.app_secret = os.getenv("FEISHU_APP_SECRET", "HHEZED...mpB71")
self.bitable_token = os.getenv("FEISHU_BITABLE_TOKEN", "AO6r...onjK")
...
data = {"app_id": self.app_id, "app_secret": self.app_secret}Remove hardcoded secrets and table tokens, require explicit user-provided configuration, fail closed when credentials are missing, and declare the Feishu credential and permission requirements in metadata.
Running or letting the agent run the test command can create unwanted test records in the Feishu table, especially for existing locations that do not require a photo prompt.
A command described as testing location matching invokes the same add-storage path used for real inventory creation, so it is not clearly a dry run.
test_parser = subparsers.add_parser("test-match", help="测试位置匹配")
...
result = manager.add_storage_item(
item_name="测试物品",
location=args.location,
item_image_path=None
)Make test-match a true read-only dry run, or clearly label it as mutating and require explicit confirmation before creating any record.
Installation changes the local command path and depends on whatever current version of requests pip resolves.
The user-directed installer installs an unpinned dependency and creates a local executable symlink. This is common for CLI setup but should be noticed.
pip3 install requests ... ln -sf "$SCRIPT_DIR/cli.py" "$HOME/.local/bin/storage-manager"
Pin dependency versions, document exactly what the installer changes, and let users opt in to creating the symlink.
Private inventory/location data is loaded into the skill process, and incorrect or unwanted existing records can influence future automatic location choices.
The skill reads existing Feishu Bitable records and reuses their Location values as context for future automatic matching.
records = self._list_all_records()
...
location = record["fields"].get("Location", "")
...
self.existing_locations = sorted(list(locations))Use a dedicated Feishu table, keep records clean, restrict app permissions to only that table, and review automatic matches for important items.