Gitlab Mr Review Pipeline
v1.0.0自动化 GitLab MR 代码审核流水线。使用 AI 对 MR 进行代码审查,生成报告并邮件发送给提交人。
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to read GitLab MRs, run an AI code review, render PDF reports and email them. The included scripts read a local config file with a GitLab access token and email auth code and call the GitLab API — these are the credentials and actions one would reasonably expect for this purpose.
Instruction Scope
SKILL.md instructs the agent to read ~/.config/gitlab-mr-review-pipeline/config.json and to run several scripts (gitlab-api.py, mr-records.py, cleanup.py). That is within scope for a review pipeline, but the skill references running a pipeline orchestrator (pipeline.py) which is not present in the bundle — the orchestration would need to be done by the agent or added by the user. The instructions also call external dependent skills (code-review, md-to-pdf-advanced, email-mail-master), so the agent will need network access to install and invoke those. The SKILL.md also suggests using npx clawhub install — which is consistent with dependency installation.
Install Mechanism
No built installers or remote downloads are embedded. The SKILL.md recommends installing other skills via 'npx clawhub install', and all code is included in the package. There are no URLs, archive downloads, or extract steps that would write arbitrary external code during install.
Credentials
The registry metadata lists no required environment variables, but the runtime flow depends on a config file containing a GitLab access_token and an email auth_code. Those are proportional to the described functionality. The bundle stores credentials in ~/.config/gitlab-mr-review-pipeline/config.json and init-config.py sets file permissions to 600, which is good practice. Users should still verify token scopes and limit the token to only the needed API permissions.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges. It writes its own config and record files under ~/.config/gitlab-mr-review-pipeline and temporary reports under local paths; this is normal for a local automation tool and does not modify other skills or system-wide agent settings.
Assessment
This package appears to be what it says: it needs a GitLab access token and an email auth code (stored at ~/.config/gitlab-mr-review-pipeline/config.json) to query MRs and email reports. Before installing or running: 1) Inspect the code (already included) to confirm no unexpected network endpoints — the scripts only call your GitLab host and use local file I/O. 2) Note pipeline.py is referenced by init-config.py but not included; decide whether the agent will orchestrate the pipeline or you will add an orchestrator. 3) Limit the GitLab token scope to the minimum (API read/merge-request access only) and prefer a dedicated service account. 4) Treat the email auth code like a secret; the installer sets the config file to 0600 which is good. 5) Run the init-config script locally (not in a shared environment) to input and validate credentials. 6) If you plan to let the agent invoke this autonomously, be aware it will have the ability to read the config file and call the GitLab API and send emails — only enable autonomous runs if you trust the skill and the environment. If you want, request the missing pipeline orchestrator from the publisher or add your own to avoid unexpected automatic behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97f8v5ksn6jmhsa8bxh0q1kfd83v556
License
MIT-0
Free to use, modify, and redistribute. No attribution required.