GitCode API Usage
PassAudited by ClawScan on Apr 30, 2026.
Overview
The artifacts are coherent for a GitCode SDK helper, but users should approve the unpinned Python package install, protect their GitCode token, and explicitly review any write actions.
Install this only if you trust the `gitcode-api` package source, preferably in a virtual environment. Use a least-privileged `GITCODE_ACCESS_TOKEN`, avoid passing tokens on the command line, and require explicit confirmation before the agent creates, updates, deletes, merges, transfers, or changes permissions on GitCode resources.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these methods without clear user intent, it could modify repository content or merge pull requests.
The skill documents GitCode operations that can create or change repository content and pull requests. This is purpose-aligned for an API SDK helper, but these operations can affect real repositories.
`client.contents.create()`, `client.contents.update()` ... `client.pulls.create()`, `client.pulls.merge()`
Require explicit user approval for create, update, delete, merge, transfer, member, webhook, or OAuth-token actions, and specify the exact owner/repo before running them.
A token may grant access to private repositories, organizations, or account operations depending on its scopes.
The skill uses a GitCode access token, which is expected for GitCode API access and is disclosed in the instructions.
Authentication defaults to the `GITCODE_ACCESS_TOKEN` environment variable, or pass `api_key=...` explicitly.
Use the least-privileged GitCode token possible, prefer environment variables over command-line arguments, and revoke or rotate the token if it is exposed.
Installing an unpinned package can change the local Python environment and may fetch a newer package version than expected.
The skill asks the user to install or upgrade an external PyPI package without pinning a version. This is central to the SDK purpose and user-confirmed, but it is still a supply-chain dependency.
pip install -U gitcode-api
Install only after user approval, consider pinning a reviewed version, and use a virtual environment where possible.
Running the helper scripts executes local Python code and may contact GitCode through the SDK for CLI actions.
The skill includes local Python helper scripts. Their use is disclosed and aligned with environment validation and simple API calls.
`scripts/check_env.py` verifies Python, package import, and token setup. `scripts/gitcode_api_cli.py` is a legacy example CLI
Run helper scripts only after reviewing the command and keeping tokens out of shell history or process arguments when possible.
Repository and account data requested through the SDK will be sent to or received from GitCode under the authority of the configured token.
The skill is designed to communicate with the GitCode API using a token. This provider communication is disclosed and purpose-aligned.
Base URL: `https://api.gitcode.com/api/v5` ... Token env var: `GITCODE_ACCESS_TOKEN`
Use tokens scoped to the intended GitCode resources, and avoid sending sensitive local data unless the user explicitly requests that API action.
A mistaken owner/repo, token scope, or write operation could affect shared repositories or team workflows.
The documented SDK surface includes actions that can affect repositories, collaborators, and pull-request state. These are legitimate API capabilities but can have broader effects if misapplied.
`client.repos.delete()` ... `client.repos.transfer()` ... `client.members.remove()` ... `client.pulls.merge()`
Confirm target repository/account identifiers and require a review step before any operation that deletes, transfers, merges, changes permissions, or updates shared settings.