GitCode Repo Daily
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for generating GitCode repository reports, but it needs a GitCode token and stores report data locally.
Before installing, make sure you are comfortable giving it a GitCode token and letting it store repository report data locally. Use the least-privileged token that works, and periodically clean the skill’s temp_dir and resources/report.db if the repositories contain sensitive information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access whatever GitCode repository data the provided token permits, including private repository information if the token has that scope.
The skill requires and reads a GitCode credential, including Windows user/system environment variables, to access repository data.
**GITCODE_TOKEN**:按以下优先级读取,任一处有值即用。 ... 1 | 进程环境变量 `GITCODE_TOKEN` ... 2 | Windows 用户级环境变量 ... 3 | Windows 系统级环境变量
Use a minimally scoped GitCode token and avoid using a token with broader account permissions than needed for report generation.
Operational data from the configured repositories may remain on disk after the report is generated.
The skill persists repository metrics, AI summary input data, and summaries in a local SQLite database for reuse across report runs.
**路径**:`{skill_root}/resources/report.db` ... **daily_metrics** ... `merged_prs_for_ai_json`; ... **daily_summaries** ... 同日多次执行保留最新。Treat the skill directory as containing potentially sensitive repo metadata, and delete resources/report.db or temp_dir files if you do not want historical data retained.
Using the skill runs local code that calls GitCode APIs and writes report/config/database files.
The skill operates by running an included local Python script; this is central to the skill’s purpose and is clearly documented.
`python <SKILL_ROOT>/scripts/generate_daily_report.py [--date YYYY-MM-DD] [--repos "owner/repo,..."]`
Install it only if you are comfortable with the included script running locally for GitCode reporting.
Users have less external context for verifying where the skill came from.
The registry metadata does not provide an upstream source or homepage for independent provenance verification.
Source: unknown; Homepage: none
Review the included artifacts and install from trusted channels; prefer versions with clear source provenance when available.