ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gitlab-weekly-report

v1.0.0

通过 GitLab API 查询并整理指定时间段内个人提交记录,自动生成规范的周报格式。

0· 255·1 current·1 all-time
by@zhoutianwang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhoutianwang/gitlab-weekly-report.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "gitlab-weekly-report" (zhoutianwang/gitlab-weekly-report) from ClawHub.
Skill page: https://clawhub.ai/zhoutianwang/gitlab-weekly-report
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gitlab-weekly-report

ClawHub CLI

Package manager switcher

npx clawhub@latest install gitlab-weekly-report
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate GitLab weekly reports) matches the code and SKILL.md: the script queries GitLab Events/Commits and formats a report. However the registry metadata lists no required credentials or env vars while the instructions and script require a Personal Access Token and user id — this mismatch is unexpected and reduces transparency. Also the script hardcodes author_name="zhouyi" in commit queries, which makes it tied to a specific user rather than fully generic.
!
Instruction Scope
SKILL.md instructs users to run the included script with a token argument and to run it from a specific workspace path. The script uses subprocess to invoke curl with '--noproxy "*"' which explicitly bypasses proxy configuration (may circumvent network monitoring or corporate proxies). It also requires passing the token on the command line (exposes the token to local process listings). The instructions direct data only to the GitLab API (no external endpoints), but the proxy-bypass and CLI-token exposure are notable scope/operational concerns.
Install Mechanism
There is no install spec (instruction-only with an included script). Nothing is downloaded or written by an installer. This is the lowest-risk install mechanism.
!
Credentials
The skill requires sensitive credentials (a GitLab Personal Access Token and a user id) according to SKILL.md and the script, but the registry metadata does not declare any required env vars or primary credential. That mismatch reduces transparency. Additionally, passing the token as a CLI argument exposes it to other local users via process listings; the script also hardcodes an author filter (zhouyi) which is unexpected and not justified by the generic description.
Persistence & Privilege
The skill does not request persistent or elevated privileges. always is false and there is no installation that modifies other skills or system-wide configs. The script does not write persistent tokens or change agent settings.
What to consider before installing
This skill mostly does what it says, but check a few things before installing or running it: - Credentials: The metadata does not declare that a GitLab token is required, yet the script needs a Personal Access Token. Treat that token as sensitive. Prefer providing it via a protected environment variable or a secure config file rather than on the command line. - CLI exposure: Running the script with --token will expose the token in process listings (ps). If other users share the machine, avoid passing secrets on the CLI. - GITLAB_URL: The script has GITLAB_URL set to an internal placeholder. Make sure it points to your intended GitLab instance and not an unexpected host. - Proxy bypass: The script calls curl with '--noproxy "*"' which forces direct connections and can bypass corporate proxies or monitoring — remove that flag if you need proxy or audit logging. - Hardcoded author: The code uses author_name="zhouyi" when querying commits. If you are not that user, edit/remove this to ensure correct results. - Transparency: The registry metadata should state the credential requirement (primaryEnv) so you clearly understand what will be needed. If you depend on this skill, request the maintainer update metadata and replace CLI token usage with a safer method. If you are comfortable editing the script: replace curl subprocess calls with an HTTP library (requests), accept token from env or prompt, remove '--noproxy', and remove or parameterize the hardcoded author. If you cannot review/edit the script, do not supply production tokens to it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971h5b7yhpr2bptb2k245wpns82vqgr
255downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
@zhoutianwang
latest
Download

GitLab 周报生成器

通过 GitLab API 查询个人提交记录,自动整理成周报格式。

快速使用

直接告诉我:帮我查一下这周(或上周)的 git 提交

例如:

  • "帮我查这周的 git 提交"
  • "帮我整理上周的周报"
  • "生成这周的 GitLab 周报"

我会自动调用 API 获取数据并整理成规范的周报格式。

周报输出格式

## 📋 周报 (2026.03.09 - 2026.03.13)

### 一、项目名称 (项目路径)
- **【类型】功能标题**
  - 详细描述(从完整 commit message 中提取)

### 二、项目名称
- ...

---

### 本周总结
- 共提交 X 次,涉及 X 个项目
- 主要工作:
  1. 功能开发/优化
  2. 修复
  3. 代码重构

生成流程(自动化)

重要:请使用 gitlab_weekly_report.py 脚本获取数据,不要手动调用 curl 或浏览器!

  1. 调用脚本获取数据

    cd ~/.openclaw/workspace/skills/gitlab-weekly-report
python3 gitlab_weekly_report.py --token 你的token --user-id 46 --after 2026-03-09 --before 2026-03-13

  2. 脚本自动完成

    • 调用 Events API 获取本周项目列表
    • 根据 project_id 获取项目名称
    • 整理提交记录生成周报

  3. 手动补充:根据脚本输出的原始 commit message,按照"提交内容美化规则"进行美化

直接使用脚本

# 这周的提交
python3 gitlab_weekly_report.py --token (初始数据)你自己的令牌key --user-id 46 --after 2026-03-09

# 上周的提交
python3 gitlab_weekly_report.py --token (初始数据)你自己的令牌key --user-id 46 --after 2026-03-02 --before 2026-03-09

提交内容美化规则

从完整 commit message 中提取关键信息:

原始类型美化后
feat【新增】
fix【修复】
refactor【优化】
调整 xxx【优化】xxx
修复:xxx【修复】xxx
开发 xxx【新增】xxx
Merge【合并】代码

API 参数说明

Events API

参数说明
action固定值 pushed
author_id用户 ID(你的:46)
after开始日期(YYYY-MM-DD)
before结束日期(YYYY-MM-DD)
per_page每页数量(建议 100)

Commits API

参数说明
project_id项目 ID(从 Events 获取)
ref_name分支名(从 Events push_data 获取)
since开始日期
until结束日期

配置信息(已保存)

  • 用户 ID: (初始数据)用户id
  • 用户名: (初始数据)你的用户名
  • 邮箱: (初始数据)你的邮箱地址
  • Token: git个人令牌

常见问题

Q: 为什么提交记录不完整? A: GitLab API 默认每页只返回 20 条,需要加 &per_page=100 参数获取更多。

Q: 如何查看某个项目的完整提交? A: 使用 Commits API 并指定分支名,可以获取完整的 commit message。

Q: 如果SKILL中都是(初始数据),需要提醒用户给配置对应的数据? A: 提醒用户提供对应的数据内容。

Q: gitlab_weekly_report.py中需要修改自己公司git地址路径? A: 修改访问地址。

Comments

Loading comments...