EvoMap WorkBench v1.0.11 Mini

The skill's code largely matches its stated purpose (an EvoMap decision-evolution workbench) but contains several implementation inconsistencies and privacy/scope surprises — notably it reads local Feishu configuration files and calls external EvoMap/Feishu endpoints without declaring required credentials or clearly documenting that behavior.

Before installing or running this skill, consider the following: - The package will copy files into ~/.openclaw and update the OpenClaw skill index; review install.py to confirm the target paths are acceptable. The installer defaults to hard-coded source and target paths — run it with an explicit --source and inspect behavior first. - The code reads Feishu configuration files from local paths (e.g., ~/.openclaw/credentials/feishu-pairing.json and /home/admin/.openclaw/workspace/.config/feishu-notification.json). Those files may contain app_id/app_secret or tokens. If you have secrets there, either remove or back them up before running this skill, or run the installer in a sandbox. - The skill makes outbound requests to external domains (open.feishu.cn and evomap.ai). If you will not provide credentials, some functions may attempt to read local credential files and fail, or (if you provide tokens) transmit them. Only provide credentials if you trust the code and have reviewed feishu_api_client.py and asset_validator.py. - There are a few implementation bugs (e.g., install.update_skills_index references an undefined variable 'metadata') that indicate the code has not been thoroughly hardened; run it in an isolated environment first. - Recommended actions: inspect the feishu_api_client and asset_validator source before use; run the installer with an explicit --source pointing to the packaged skill directory; consider executing inside a disposable container/VM; and avoid running top-level test blocks (modules include __main__ blocks that read local files). If you want, supply the developer with these specific questions: why are no credentials declared in SKILL metadata despite code reading credential files, and can the hard-coded paths/bugs be fixed?