ZenTao Analytics
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is presented as analyzing real ZenTao employee task data, but the included analysis script currently generates reports from hard-coded mock data.
Review this skill carefully before installing. It appears unfinished: the main script uses hard-coded demo data rather than real ZenTao data, so do not use its reports for employee evaluation until the data connection is implemented and verified. If you proceed, use read-only ZenTao credentials and protect any exported reports.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could mistake mock rankings, workload warnings, and efficiency scores for real employee analytics and make poor management or resource-allocation decisions.
The skill description says it accesses ZenTao API/database data, but the main script currently returns simulated employee records while still printing that it is fetching ZenTao task data.
// TODO: 实现真实的 API 调用或数据库查询 ... // 模拟数据用于演示 ... return { employees: [Do not rely on generated reports until real ZenTao data fetching is implemented, reviewed, and tested. The tool should clearly label mock/demo output.
If over-privileged credentials are used, the skill or any future code changes could access more ZenTao data than needed.
The skill documents use of ZenTao API keys or database credentials, including a root database-user example. This is expected for the stated analytics purpose, but it is sensitive authority.
export ZENTAO_API_KEY=your_api_key_here ... export ZENTAO_DB_USER=root ... export ZENTAO_DB_PASS=your_password
Use a dedicated read-only ZenTao API token or database account limited to the required task, user, project, and worklog data.
Reports may contain employee workload, efficiency, and performance-related information that should not be broadly shared.
The analysis script can persist generated employee metrics to local JSON or CSV files.
fs.writeFileSync(outputPath, JSON.stringify(metrics, null, 2));
Store outputs in an access-controlled location, avoid committing reports to version control, and delete old reports when no longer needed.
The package appears incomplete or not fully wired up, which increases the chance of setup mistakes or reliance on undocumented code later.
The documentation references files and helper workflows that are not included in the provided file manifest, such as api-schema.md and connection-test scripts.
**references/api-schema.md** - 禅道 API 数据结构
Request a complete package with all referenced files and confirm any added helper scripts before running them.