GitLab 每日提交汇总
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its GitLab-to-Feishu reporting purpose, but the script disables HTTPS certificate checks while sending a GitLab token, which could expose credentials or private project data.
Before installing, review the full script, fix TLS certificate verification, use a least-privilege GitLab token, protect config.json and latest_data.json, verify the Feishu webhook recipients, and enable scheduled automation only if you explicitly want unattended daily reports.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could impersonate GitLab and capture the token or private project data.
The script disables certificate verification for GitLab API requests that carry the user's GitLab token.
_SSL_CTX.check_hostname = False; _SSL_CTX.verify_mode = ssl.CERT_NONE; ... headers={"PRIVATE-TOKEN": config["gitlab_token"]}Enable TLS verification, install the correct corporate CA certificate if needed, and use a least-privilege read-only GitLab token.
Users may not realize installation requires storing a GitLab token and Feishu webhook locally.
The skill expects local credentials/webhooks in config.json, although registry metadata lists no primary credential or required config path.
"gitlab_token": "glpat-xxxxxxxxxxxx" ... "feishu_webhooks": ["https://open.feishu.cn/open-apis/bot/v2/hook/..."]
Store config.json securely, keep the GitLab token scoped to read_api, and rotate it if the config file is exposed.
Private project activity, contributor names, issue/MR status, or risk notes may be posted to the configured Feishu group.
The intended workflow sends generated GitLab summaries to a Feishu webhook.
将 AI 生成的智能总结内容推送到飞书 ... python gitlab_report.py --send-ai-summary
Confirm the Feishu webhook belongs to the intended chat and avoid sending secrets or overly sensitive issue details.
The local data file may contain private repository metadata, and commit/MR/issue text should be treated as untrusted content during summarization.
The workflow persists raw GitLab data locally and then feeds it into AI analysis.
数据保存到 `latest_data.json` ... 读取 `latest_data.json` 中的原始数据
Protect or delete latest_data.json after use, and instruct the agent to treat all GitLab text as data rather than executable instructions.
If scheduled elsewhere, the report could run and post project activity without a fresh per-run confirmation.
The documentation describes scheduled automatic execution options, although the supplied artifacts do not install a scheduler.
WorkBuddy 已为你配置好每天 18:00 自动执行的定时任务 ... 0 18 * * * /usr/bin/python3 /path/to/gitlab_report.py
Only enable WorkBuddy, cron, webhook, or CI schedules after explicit approval, and audit any existing scheduled jobs.