ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitLab Team Report

v1.0.0

生成 GitLab 团队周报,支持按产品功能分类 MR、按成员和仓库汇总贡献、输出 Markdown/HTML、生成图表和历史周报首页,并可选上传到飞书文档。用于用户提到“GitLab 周报”“团队周报”“统计本周 MR/commit”“按功能归类开发工作”“生成 HTML 周报”“上传周报到飞书”等场景。 Ge...

0· 108·0 current·0 all-time
byZhongning Wang@wangzn
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions match the stated purpose (fetch GitLab data, classify MRs, generate markdown/html/charts, optionally upload to Feishu). However the package metadata declares no required credentials or primaryEnv even though the scripts expect a GitLab token and optional Feishu app secrets/tokens (in config/config.json or environment). This mismatch is a notable omission.
Instruction Scope
SKILL.md and scripts clearly describe runtime steps: read config/config.json, run generate-report.sh (which calls GitLab APIs using a token), optionally generate charts and optionally upload to Feishu. The instructions do not ask the agent to access unrelated system files. They do reference reading a user token file (~ path) for Feishu and show commands that modify crontab if the setup-cron helper is used.
Install Mechanism
There is no install spec (instruction-only packaging) and included scripts run with standard interpreters (python, bash, node). No downloaded archives or external install URLs are used by the skill itself. Dependencies are typical Python/node packages and listed in requirements.txt; this is proportionate.
!
Credentials
The skill requires secrets to function (GitLab PRIVATE token, Feishu app_id/app_secret or user access token) but the registry metadata does not declare any required env vars or a primary credential. The code may read tokens from config/config.json or a user token file in the home directory and also accepts FEISHU_* env vars — this deserves explicit disclosure. Storing tokens in config files or using a user token file is supported but may be surprising if not declared by the skill manifest.
!
Persistence & Privilege
The optional scripts/setup-cron.sh will modify the user's crontab to run the report and (by default) the Feishu upload on a schedule. While this is an optional helper, it grants persistent periodic execution and will write to crontab and to logs/cron.log. Users should treat cron setup as high-impact and review the crontab command before running.
Scan Findings in Context
[gitlab_api_usage] expected: Multiple scripts call GitLab API endpoints (e.g., /api/v4/users/<id>/events) and require a private token in config/config.json — this is expected for the stated purpose.
[feishu_api_usage] expected: upload-to-feishu.* and scripts/lib/feishu-api.sh call Feishu Open API endpoints and consume app id/secret or a user access token. This matches the optional Feishu upload feature.
[reads_local_token_files] expected: The Node upload script will read a user token file (path from config.feishu.user_token_file, default ~/path/to/feishu_token.json). Reading tokens from local files is expected but should be disclosed in metadata.
[modifies_crontab] expected: setup-cron.sh edits the user's crontab to install a scheduled job that runs generate-upload commands. This is expected for scheduling but has persistence/privilege implications that require user review.
[undeclared_credentials] unexpected: The skill manifest does not declare required credentials (GitLab token, FEISHU_* env or primary credential) even though the code expects them in config or env. Manifest omission may mislead users about the secrets needed.
What to consider before installing
This skill does what it says (collects GitLab activity, classifies MRs, builds reports and optionally uploads to Feishu), but before installing or running it: 1) inspect config/config.example.json and ensure you will not publish real tokens; the scripts expect a GitLab token and optional Feishu app credentials/user token even though the skill metadata did not declare them; 2) prefer passing secrets via environment variables or a secured local config, and do not commit config/config.json to source control; 3) review upload-to-feishu.js and feishu helper functions if you plan to enable publishing — ensure tokens and doc targets are correct and trusted; 4) avoid running scripts/setup-cron.sh unless you intend a persistent scheduled job — it will modify your user crontab and run uploads on a schedule; and 5) verify node/python dependencies (pip install -r requirements.txt and the node Lark SDK) from trusted registries before use. If you want to proceed, populate config/config.json locally with safe/test tokens and run the report manually first to confirm expected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h87amdr0jpfqbgvyjrkmyd839vzz
108downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
Zhongning Wang@wangzn
latest
Download

GitLab Weekly Report Generator

生成适合团队复盘、周会同步和对外汇报的 GitLab 周报。

执行流程

  1. 读取 config/config.json;如果不存在,先从 config/config.example.json 复制一份再填写。
  2. 运行 scripts/generate-report.sh 生成周报主文件。
  3. 如需图表,运行 scripts/generate-charts.py;如果环境缺少 matplotlib,接受 Mermaid 回退方案。
  4. 如需发布到飞书,使用 scripts/upload-to-feishu.shscripts/upload-to-feishu.js
  5. 优先修改配置和分类规则,不要直接改业务脚本,除非需求本身变了。

主要能力

  • 一级分类 → 二级分类 → MR 组织产品功能周报
  • 人 → repo 汇总 MR、commit、贡献摘要
  • 输出 weekly_report.mdweekly_report.html
  • 生成 stats.json、图表和 reports/index.html
  • 保持 Markdown 尽量兼容飞书文档
  • 为 MR 和成员附上 GitLab 链接
  • 支持“规则优先 + 启发式补全”的分类方式

关键文件

  • scripts/generate-report.sh:命令入口
  • scripts/generate-report.py:主逻辑
  • scripts/generate-charts.py:图表生成
  • scripts/upload-to-feishu.sh / scripts/upload-to-feishu.js:飞书上传
  • config/config.example.json:配置示例
  • config/classification.rules.example.json:分类规则示例
  • templates/report.template.md:报告模板

配置方式

优先使用以下文件:

  • config/config.json
  • config/classification.rules.json

如果规则文件不存在,就从对应的 *.example.json 复制后再修改。

优先调整顺序:

  1. repo_rules:适合仓库名、路径、项目归属明显的场景
  2. keyword_rules:适合 title / label / branch 关键词补充判断
  3. default_category:兜底分类

基本用法

cd /path/to/gitlab-weekly-report

cp config/config.example.json config/config.json
cp config/classification.rules.example.json config/classification.rules.json

./scripts/generate-report.sh \
  -c config/config.json \
  -s 2026-03-14 \
  -e 2026-03-19

可选参数:

参数说明
-c, --config配置文件
-s, --start-date开始日期
-e, --end-date结束日期
-o, --output输出目录
--no-charts跳过图表生成

典型输出

reports/
├── index.html
├── latest -> 2026-03-14_to_2026-03-19/
└── 2026-03-14_to_2026-03-19/
    ├── weekly_report.md
    ├── weekly_report.html
    ├── stats.json
    └── charts/

依赖

必需:

  • python3
  • jq

推荐:

  • matplotlib
  • pandas
  • requests

安装:

pip3 install -r requirements.txt

注意事项

  • 保持 SKILL.md 聚焦流程和决策,不要把大段样例配置塞进来。
  • 优先通过配置和规则文件调整分类结果。
  • 接受图表回退到 Mermaid 的情况,不要因为缺少 matplotlib 阻塞周报生成。
  • 飞书上传依赖本地配置和权限;发布 skill 时不要分发真实 token 或私有配置文件。

Comments

Loading comments...