PingCode
v1.1.0PingCode 研发管理平台 API 集成。支持查询工作项、生成周报、管理项目进度等。使用场景:研发管理自动化、团队协作、数据分析。
⭐ 1· 374·1 current·1 all-time
by@anytao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, metadata.json and the included Python scripts all implement PingCode API actions (list projects, work items, update items, generate reports). The two required env vars (PINGCODE_CLIENT_ID, PINGCODE_CLIENT_SECRET) are appropriate for client-credentials access to PingCode.
Instruction Scope
SKILL.md instructs running the included Python scripts and setting only the two environment variables — that matches the scripts. Minor inconsistencies: SKILL.md references a create_workitem.py (marked '待实现') but that file is not present in the package; references/api_docs.md lists slightly different endpoint paths than some scripts (e.g., /v1/agile/workitems vs /v1/project/work_items). The scripts do not perform pagination beyond a single page and return large page_size defaults — functional limitations but not malicious.
Install Mechanism
No install spec or external downloads — this is instruction-and-source-file-only. All Python code is included in the package; nothing is fetched from third-party URLs or executed from unknown archives.
Credentials
Only PINGCODE_CLIENT_ID and PINGCODE_CLIENT_SECRET are required. Those are the expected credentials for the client-credentials grant used by the scripts. No other secrets, unrelated service keys, or system config paths are requested.
Persistence & Privilege
always:false and user-invocable:true (default) — no forced or persistent platform-level presence. disable-model-invocation is false (normal); combined with the limited env vars and no install steps this does not raise extra privilege concerns.
Assessment
This package appears to be what it claims: a PingCode API client implemented as local Python scripts that use client credentials. Before installing/using: 1) Verify the PingCode app you create grants only the minimum scopes needed (avoid wide enterprise scopes if possible). 2) Keep PINGCODE_CLIENT_ID and PINGCODE_CLIENT_SECRET in a secure place (environment variables or a secrets manager), and do not paste them into chat. 3) Review the included scripts yourself (they are plain Python) — confirm they only call open.pingcode.com and you are comfortable with their behavior. 4) Note the SKILL.md mentions create_workitem.py but that file is missing; if you need creation capability, implement or obtain the missing script from a trusted source. 5) Be aware scripts fetch one page at a time (no pagination loop) — you may need to adapt them for large projects. 6) If you allow autonomous invocation by an agent that has these environment variables, consider limiting that agent's access or rotating credentials if they become exposed.Like a lobster shell, security has layers — review code before you run it.
latestvk97390b7a69awt3a67j37g9g0582p77n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvPINGCODE_CLIENT_ID, PINGCODE_CLIENT_SECRET