team-quality-daily-report
v1.0.0Generate team quality daily report automatically
⭐ 0· 73·0 current·0 all-time
by@bondli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (team quality daily report) lines up with the code and SKILL.md: the skill launches/attaches to a browser, captures an XHR payload for the configured dashboard API, modifies time filters, fetches data, parses it, saves JSON and produces a Markdown report. Declared dependencies (puppeteer / puppeteer-core and a browser helper) are consistent with this purpose.
Instruction Scope
The SKILL.md instructions closely match the implementation (run node dist/index.js). The runtime will open or connect to an existing Chrome instance, capture network requests for the configured dataAPI, perform a POST from the page context, and save files under ~/openclaw-skill-data/team-quality-daily-report/. This is within the stated scope. Important behavioral details are worth highlighting: it intentionally reuses browser login state (requires you to be logged into the dashboard), listens to XHR requests to capture payloads, and runs a fetch inside the page context (so requests are made with the browser's context).
Install Mechanism
There is no install spec in the registry entry (instruction-only), but the package includes a package.json with puppeteer and puppeteer-core. That means the skill expects Node and its dependencies to be installed (puppeteer may download Chromium or rely on an existing browser). The absence of an install spec is not malicious but increases friction and means you must run dependency installation manually (pnpm/npm).
Credentials
The skill does not request environment variables or external credentials. However, it intentionally connects to your local browser and reuses its session cookies/SSO to access the dashboard API — this grants the skill access to any data the logged-in browser can reach. It also writes files to your home directory under ~/openclaw-skill-data/team-quality-daily-report/. Those capabilities are proportional to the task but are sensitive and worth considering before running.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes output files to a per-skill directory in the user's home and closes the browser. It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: automate a browser to capture a dashboard API payload, fetch data, and generate local JSON/Markdown reports. Before installing or running it, consider the following: 1) It connects to your Chrome and reuses login session/cookies — only run it if you trust the code and the target dashboard; the skill will be able to access anything your logged-in browser can. 2) The package depends on an external helper package (@bondli-skills/shared) which is not included in this review; audit that dependency (or inspect its source) because it implements the connectBrowser helper and may perform additional actions. 3) You must install Node dependencies (pnpm/npm) and possibly allow puppeteer to download Chromium or connect to an existing browser. 4) The skill saves files to ~/openclaw-skill-data/team-quality-daily-report/ — verify that config.json points to the intended internal/external API and does not contain secrets. 5) Avoid running it unattended (cron) while a privileged or unrelated browser session is active unless you trust all code and dependencies. If you want higher confidence, request the source for @bondli-skills/shared and verify there is no unexpected network exfiltration or credential usage.Like a lobster shell, security has layers — review code before you run it.
latestvk97dmhp5t1wkjarb0mcsgssa5983gzna
License
MIT-0
Free to use, modify, and redistribute. No attribution required.