ai-zidong-tibug
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent ZenTao bug-ticket helper, but it logs in and creates tickets by default using account credentials that are under-declared in metadata.
Install only if you want the agent to log in to ZenTao and create real defect tickets. Set ZENTAO_URL explicitly, use a least-privileged bot account, verify product/module/assignee/attachments before submission, and protect or delete the saved token file. If you only want rewritten bug text, explicitly use the no-submit mode.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It could create and assign real tickets, and potentially upload attachments, when the user only expected drafting or normalization.
The skill directs the agent to create ZenTao defects by default, rather than requiring an explicit confirmation step before mutating the user's issue tracker.
默认行为:生成每条 Bug 后,自动登录禅道并创建缺陷单;仅当用户明确说“只生成不提单”时才跳过提交。
Make ticket submission opt-in, require a final review/confirmation for each batch, and use the “只生成不提单” mode unless automatic submission is explicitly intended.
Users may install it without realizing it needs real ZenTao and HTTP Basic credentials with authority to create defects.
The registry metadata says no credentials or environment variables are needed, but the skill's ZenTao workflow requires HTTP_USER, HTTP_PASS, ZENTAO_USER, and ZENTAO_PASS for automatic login and submission.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare all required credentials and capabilities in metadata, and use a least-privileged bot account rather than a personal account.
A user from another organization could accidentally send credentials to the default domain if they do not explicitly configure their own ZenTao URL.
If ZENTAO_URL is not set, the script sends HTTP Basic credentials and the ZenTao username/password to a default external ZenTao host.
ZENTAO_URL=https://pm.jsyyds.com/ ... response = requests.post(endpoint, auth=HTTPBasicAuth(http_user, http_pass), json=payload, timeout=30, verify=verify_ssl)
Require ZENTAO_URL to be set explicitly before login, and clearly warn users which host will receive credentials.
Anyone with access to that file may be able to reuse the saved session token until it expires or is revoked.
The login script stores the ZenTao token and account name in a local state file for reuse.
"token": token, "account": config["username"], ... save_state(save_path, state)
Store the token file in a restricted location, avoid committing it, delete it after use, and rotate/revoke tokens if exposed.
The agent will run local scripts that make network requests and modify ZenTao when invoked.
The skill intentionally runs local Python scripts to log in and submit tickets. This is central to its purpose and disclosed, but still means installing the skill enables local code execution.
执行命令:`python3 scripts/zentao_login_and_save_state.py` ... `python3 scripts/zentao_submit_bugs.py --input <bugs.json> --product-id <产品ID>`
Inspect the scripts, run them in a controlled environment, and do a dry run or no-submit workflow before allowing automatic submissions.