GitCode Repo Daily
AdvisoryAudited by Static analysis on Mar 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access whatever GitCode repository data the provided token permits, including private repository information if the token has that scope.
The skill requires and reads a GitCode credential, including Windows user/system environment variables, to access repository data.
**GITCODE_TOKEN**:按以下优先级读取,任一处有值即用。 ... 1 | 进程环境变量 `GITCODE_TOKEN` ... 2 | Windows 用户级环境变量 ... 3 | Windows 系统级环境变量
Use a minimally scoped GitCode token and avoid using a token with broader account permissions than needed for report generation.
Operational data from the configured repositories may remain on disk after the report is generated.
The skill persists repository metrics, AI summary input data, and summaries in a local SQLite database for reuse across report runs.
**路径**:`{skill_root}/resources/report.db` ... **daily_metrics** ... `merged_prs_for_ai_json`; ... **daily_summaries** ... 同日多次执行保留最新。Treat the skill directory as containing potentially sensitive repo metadata, and delete resources/report.db or temp_dir files if you do not want historical data retained.
Using the skill runs local code that calls GitCode APIs and writes report/config/database files.
The skill operates by running an included local Python script; this is central to the skill’s purpose and is clearly documented.
`python <SKILL_ROOT>/scripts/generate_daily_report.py [--date YYYY-MM-DD] [--repos "owner/repo,..."]`
Install it only if you are comfortable with the included script running locally for GitCode reporting.
Users have less external context for verifying where the skill came from.
The registry metadata does not provide an upstream source or homepage for independent provenance verification.
Source: unknown; Homepage: none
Review the included artifacts and install from trusted channels; prefer versions with clear source provenance when available.