ClawHub

Tapd

v0.1.3

当用户需要查询、创建或更新 TAPD 需求、任务、缺陷、评论、工作流、迭代、测试用例、Wiki、工时、发布计划,或发送企业微信通知时使用本 Skill。使用 Python 标准库调用 TAPD 开放 API,不依赖 MCP 或第三方 HTTP 库。

3· 577·5 current·5 all-time
bydaizhihong@kevindai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (TAPD client) match the code and SKILL.md: the package constructs HTTP requests to TAPD endpoints and can send enterprise WeChat messages. One minor inconsistency: registry metadata declares TAPD_ACCESS_TOKEN as the required env var, while SKILL.md and the code accept either TAPD_ACCESS_TOKEN or TAPD_API_USER + TAPD_API_PASSWORD (the code enforces one of these). This difference is minor and explainable.
Instruction Scope
SKILL.md instructs building and sending TAPD API requests and refers only to TAPD-related endpoints and an optional BOT_URL for WeChat messages. The included Python script follows those instructions and only reads the declared environment variables (TAPD_ACCESS_TOKEN or TAPD_API_USER/TAPD_API_PASSWORD, TAPD_API_BASE_URL, TAPD_BASE_URL, BOT_URL, CURRENT_USER_NICK). It does not attempt to read unrelated files or system secrets.
Install Mechanism
This is an instruction-only skill with a single Python stdlib client file and no install spec — nothing is downloaded or written to disk as part of an installer, which minimizes install-time risk.
Credentials
Requested credentials are proportional to the stated purpose: TAPD_ACCESS_TOKEN or API user/password are required for TAPD access, and BOT_URL is optional for sending enterprise WeChat messages. Note: if TAPD_API_BASE_URL or BOT_URL are set to untrusted endpoints (malicious host), the skill will send credentials or message content to those hosts — the skill will use whichever TAPD_API_BASE_URL is in the environment, so ensure those env vars are trustworthy.
Persistence & Privilege
always is false and the skill has no install-time persistence mechanism; it does not modify other skills or global agent settings. Autonomous invocation is allowed by default but is not combined with any unusual privileges.
Assessment
This skill is a straightforward TAPD API client. Before installing: (1) only provide it a TAPD token or an API user/password with the minimum necessary permissions — avoid using full-admin tokens if not needed; (2) verify TAPD_API_BASE_URL and BOT_URL environment variables are set only to trusted endpoints (a malicious TAPD_API_BASE_URL would cause credentials to be sent to that host); (3) BOT_URL is optional and will cause the skill to POST messages to that webhook if configured — treat it like any webhook and limit its scope; and (4) if you need stronger isolation, run the skill in an environment where only network access to TAPD (and the configured BOT_URL, if used) is permitted. Finally, note the small metadata mismatch: the registry marked TAPD_ACCESS_TOKEN as required but the code also accepts TAPD_API_USER + TAPD_API_PASSWORD — supply one of those authentication options as appropriate.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyb0yxty9t45dsvemt3q12182v2cm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
EnvTAPD_ACCESS_TOKEN
Primary envTAPD_ACCESS_TOKEN

Comments