XiaxiaBao Doc Manager
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill’s Feishu document-management purpose is coherent, but it can automatically back up local agent memory/config files and mutate cloud documents using fixed Feishu targets, so it needs review before use.
Install only if you intend this agent to manage the specified Feishu workspace. Before use, replace all Feishu IDs with your own, review Feishu app scopes, disable or narrow scheduled backups, exclude secrets from MEMORY.md/openclaw.json backups, and require confirmation before any archive, move, status update, or cleanup action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private agent memory, notes, configuration, or secrets stored in those files could be copied into Feishu and retained in the document system.
The backup workflow reads persistent agent memory and OpenClaw configuration from local root paths and stores the contents as Feishu documents.
"localPath": "/root/.openclaw/workspace/MEMORY.md" ... "localPath": "/root/.openclaw/openclaw.json" ... "读取本地文件内容" ... "创建飞书文档"
Disable these backups by default, require explicit user approval, exclude secrets, and let users choose exact source files and destination folders before any upload.
If used as-is, document creation, moves, indexing, and backups may target a preselected Feishu workspace or owner context instead of a user-confirmed destination.
The skill embeds concrete Feishu workspace/resource identifiers and an owner identity as configuration, while the registry declares no primary credential or required config.
"wiki": { "spaceId": "7615898038325775298", "rootNodeToken": "YFzKwgaQnitE6Kk8GgecBleXnnb" } ... "bitable": { "appToken": "BL5yb83nQalWeqsUpmIcl9fnnif" ... } ... "owner": { "openId": "ou_dc8bc16a816fb8fb48ea92d28700fa82" }Remove hardcoded workspace identifiers from the skill instructions, require user-owned configuration, and declare the Feishu credential/scopes needed for Wiki, Drive, Docs, and Bitable access.
Documents or backups could be moved, reclassified, or deleted from their expected locations automatically, causing confusion or data loss if rules are wrong.
The documented workflows can automatically move cloud documents, update index state, and clean old backups without an explicit confirmation step in those workflows.
doc-archive: "触发:cron 定时(每周一次)或手动" ... "drive 中移到 `归档/YYYY-MM/` 文件夹" ... "bitable 中更新 `文档状态=📁归档`" ... doc-backup: "清理超过 maxCopies 的旧备份"
Use dry-run reports and require user confirmation for archive, move, status-update, and cleanup actions, especially for scheduled runs.
Once enabled in an agent environment, the skill may keep backing up files and changing Feishu documents on a schedule rather than only when directly requested.
The skill describes recurring autonomous operation, but the artifacts do not show an opt-in schedule setup, disable mechanism, or containment boundaries.
doc-backup — "触发:cron 定时(每天一次)"; doc-archive — "触发:cron 定时(每周一次)或手动"
Make scheduled execution explicitly opt-in, document how to pause or uninstall it, and separate user-invoked tasks from background automation.
Users may assume reviewed configuration/templates exist when they are not included in the submitted package.
The README describes required configuration and template files, but the provided manifest contains only README.md and SKILL.md.
feishu-doc-manager/ ... data/config.json ... data/backup-sources.json ... data/classification-rules.json ... data/templates/
Verify the referenced repository or provide the missing data files in the package before relying on the documented setup.