ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitLab Team Report

v1.0.0

生成 GitLab 团队周报,支持按产品功能分类 MR、按成员和仓库汇总贡献、输出 Markdown/HTML、生成图表和历史周报首页,并可选上传到飞书文档。用于用户提到“GitLab 周报”“团队周报”“统计本周 MR/commit”“按功能归类开发工作”“生成 HTML 周报”“上传周报到飞书”等场景。 Ge...

0· 101·0 current·0 all-time
byZhongning Wang@wangzn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions match the stated purpose (fetch GitLab data, classify MRs, generate markdown/html/charts, optionally upload to Feishu). However the package metadata declares no required credentials or primaryEnv even though the scripts expect a GitLab token and optional Feishu app secrets/tokens (in config/config.json or environment). This mismatch is a notable omission.
Instruction Scope
SKILL.md and scripts clearly describe runtime steps: read config/config.json, run generate-report.sh (which calls GitLab APIs using a token), optionally generate charts and optionally upload to Feishu. The instructions do not ask the agent to access unrelated system files. They do reference reading a user token file (~ path) for Feishu and show commands that modify crontab if the setup-cron helper is used.
Install Mechanism
There is no install spec (instruction-only packaging) and included scripts run with standard interpreters (python, bash, node). No downloaded archives or external install URLs are used by the skill itself. Dependencies are typical Python/node packages and listed in requirements.txt; this is proportionate.
!
Credentials
The skill requires secrets to function (GitLab PRIVATE token, Feishu app_id/app_secret or user access token) but the registry metadata does not declare any required env vars or a primary credential. The code may read tokens from config/config.json or a user token file in the home directory and also accepts FEISHU_* env vars — this deserves explicit disclosure. Storing tokens in config files or using a user token file is supported but may be surprising if not declared by the skill manifest.
!
Persistence & Privilege
The optional scripts/setup-cron.sh will modify the user's crontab to run the report and (by default) the Feishu upload on a schedule. While this is an optional helper, it grants persistent periodic execution and will write to crontab and to logs/cron.log. Users should treat cron setup as high-impact and review the crontab command before running.
Scan Findings in Context
[gitlab_api_usage] expected: Multiple scripts call GitLab API endpoints (e.g., /api/v4/users/<id>/events) and require a private token in config/config.json — this is expected for the stated purpose.
[feishu_api_usage] expected: upload-to-feishu.* and scripts/lib/feishu-api.sh call Feishu Open API endpoints and consume app id/secret or a user access token. This matches the optional Feishu upload feature.
[reads_local_token_files] expected: The Node upload script will read a user token file (path from config.feishu.user_token_file, default ~/path/to/feishu_token.json). Reading tokens from local files is expected but should be disclosed in metadata.
[modifies_crontab] expected: setup-cron.sh edits the user's crontab to install a scheduled job that runs generate-upload commands. This is expected for scheduling but has persistence/privilege implications that require user review.
[undeclared_credentials] unexpected: The skill manifest does not declare required credentials (GitLab token, FEISHU_* env or primary credential) even though the code expects them in config or env. Manifest omission may mislead users about the secrets needed.
What to consider before installing
This skill does what it says (collects GitLab activity, classifies MRs, builds reports and optionally uploads to Feishu), but before installing or running it: 1) inspect config/config.example.json and ensure you will not publish real tokens; the scripts expect a GitLab token and optional Feishu app credentials/user token even though the skill metadata did not declare them; 2) prefer passing secrets via environment variables or a secured local config, and do not commit config/config.json to source control; 3) review upload-to-feishu.js and feishu helper functions if you plan to enable publishing — ensure tokens and doc targets are correct and trusted; 4) avoid running scripts/setup-cron.sh unless you intend a persistent scheduled job — it will modify your user crontab and run uploads on a schedule; and 5) verify node/python dependencies (pip install -r requirements.txt and the node Lark SDK) from trusted registries before use. If you want to proceed, populate config/config.json locally with safe/test tokens and run the report manually first to confirm expected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h87amdr0jpfqbgvyjrkmyd839vzz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments