team-efficiency-daily-report
v1.0.0Generate team efficiency daily report automatically
⭐ 0· 103·0 current·0 all-time
by@bondli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the implementation: the code uses Puppeteer (browser automation), captures XHR payloads, modifies time ranges, calls the data API, parses results and writes JSON/Markdown reports. The package.json dependencies and the included utils (api/parser/report) are appropriate for this functionality. Example config contains corporate dashboard/dataAPI endpoints which are consistent with intended use.
Instruction Scope
SKILL.md tells the agent to run 'node dist/index.js' and configure config.json; the code will open the provided dashboard URL, listen to page requests to capture POST payloads for the configured dataAPI, then perform fetch() from the page context. This is within scope, but capturePayload will record request bodies (postData) and requestAPI runs fetch in the page context (so requests run with the page's cookies/credentials). That means the skill will operate using whatever authenticated session the browser provides — review this because captured payloads and in-page fetches can include sensitive data.
Install Mechanism
There is no install spec (instruction-only), but the bundle includes code and package.json declaring puppeteer / puppeteer-core and @bondli-skills/shared. Running/installing may pull Chromium (puppeteer) and requires Node runtime. No arbitrary external downloads or obscure URLs appear in the package itself, but the shared dependency isn't included in this bundle so you should vet it separately.
Credentials
The skill declares no required environment variables or credentials and writes files to ~/openclaw-skill-data/team-efficiency-daily-report/. That is proportionate. However, it relies on an authenticated browser session (login) to access protected dashboards and will capture XHR payloads and perform authenticated fetches — effectively it can read whatever data your browser session has access to even though no explicit credentials are requested.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It creates and writes only to its own directory under the user's HOME. There is no elevated/system persistence requested by the package.
Assessment
This skill appears to do what it says (use a browser to capture dashboard XHR and generate local reports), but review before installing: 1) It requires running a browser session and will capture POST payloads and perform fetches using the page's authenticated context — any sensitive tokens or confidential data accessible in that session may be captured. 2) Examine the @bondli-skills/shared dependency (connectBrowser) before use to ensure it doesn't reuse your primary browser profile or exfiltrate data. 3) Edit config.json to point to only the dashboards/APIs you trust (the example includes internal corporate URLs). 4) Consider running it in an isolated account or VM if you are not comfortable giving it access to your main authenticated browser session. 5) Be aware Puppeteer may download Chromium at install time and the skill will write data into ~/openclaw-skill-data/team-efficiency-daily-report/.Like a lobster shell, security has layers — review code before you run it.
latestvk975z6stwx8z0fhvq6fe7c4ckd83gnhy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.