← Back to Skills Marketplace
265
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install gitlab-batch-cloner
Description
Batch clone GitLab group projects with branch checkout and Excel indexing. Use when user needs to clone all projects from a GitLab group, organize by group s...
README (SKILL.md)
Clone GitLab Skill
Batch clone all projects from GitLab group(s), maintain folder hierarchy, checkout key branches, and generate an Excel index.
When to Use
- User wants to batch clone all projects from one or more GitLab top-level groups
- Need to maintain original group/subgroup folder hierarchy locally
- Need to checkout multiple branches (default + latest active + release/prod)
- Need an Excel index file (
01.Index.xlsx) with per-group sheets
Requirements
Before starting, collect from user:
| Parameter | Required | Default | Notes |
|---|---|---|---|
| GitLab URL | ✅ | — | e.g. https://gitlab.company.com |
| Personal Access Token | ✅ | — | Needs read_api + read_repository scopes |
| Target Group(s) | ✅ | — | Group/sub-group/project paths, comma-separated. Supports: top-level group (myGroup), sub-group path (myGroup/mySubGroup), or direct project path (myGroup/mySubGroup/my-project) |
| Local Storage Path | ❌ | ~/Desktop/Code |
Where repos are stored |
| Auth Method | ❌ | HTTPS+Token | Or SSH if key is configured |
| Mode | ❌ | clone | clone (default), update (pull only), or sync (clone+pull+cleanup stale Excel rows) |
| Workers | ❌ | 4 | Parallel clone workers (GITLAB_WORKERS) |
| Total Timeout | ❌ | 0 (none) | Global timeout in seconds (GITLAB_TOTAL_TIMEOUT). 0=no limit |
Workflow
Step 1: Collect Input
Ask user for the 4 parameters above. Pass them as environment variables to the script:
GITLAB_URL, GITLAB_TOKEN, GITLAB_GROUPS (comma-separated), GITLAB_BASE_DIR
Step 2: Run the Script
cd \x3Cskill-dir>/scripts
python3 clone_and_index.py
The script handles everything:
- Resolves each input path — auto-detects if it's a top-level group, sub-group, or direct project
- For top-level groups: fetches all subgroups recursively (skips if access denied)
- For sub-group paths (e.g.
myGroup/mySubGroup): directly resolves and syncs that sub-group and its descendants only - For direct project paths: syncs only that specific project
- Clones new projects / pulls existing ones (with 5-min timeout per project)
- Uses multiprocessing for parallel clone/pull (process-group kill on timeout to prevent orphan git processes)
- Checks out branches: default + latest active + release/prod
- Incrementally updates
01.Index.xlsxevery 50 projects (so partial results survive crashes) - On SIGTERM/SIGINT, emergency-flushes pending results to Excel before exit
- Prints per-group project counts during discovery and real-time progress with elapsed time
- In
syncmode, the final Excel write removes rows for deleted/archived projects and handles cross-group migrations
Step 3: Report Results
After the script finishes, report:
- Total projects cloned/updated
- Any failed/timed-out projects (the script prints a summary table)
Modes
Update Only
If projects already exist and user just wants to update:
GITLAB_MODE=update python3 clone_and_index.py
This skips clone, only does git fetch --all && git pull on existing repos, re-checkouts branches, and refreshes the Excel.
Sync (Full Sync with Cleanup)
For a complete sync that also cleans up stale data in the Excel:
GITLAB_MODE=sync python3 clone_and_index.py
This behaves like clone mode (new repos are cloned, existing ones are pulled), but additionally:
- Removes Excel rows for projects that no longer exist on GitLab (deleted/archived)
- Handles projects that moved between groups (updates path, removes old row)
- Only cleans up sheets belonging to the groups specified in
GITLAB_GROUPS(won't touch other groups' data)
Excel Specification
File: 01.Index.xlsx inside \x3Clocal-path>/ (e.g. ~/Desktop/Code/01.Index.xlsx)
Sheets: One sheet per top-level group (sheet name = group name, e.g. "myGroup")
Columns:
| Col | Field | Content |
|---|---|---|
| A | 主Group名称 | Top-level group (e.g. myGroup) |
| B | 子Group路径 | Full group path without project name |
| C | Project路径 | Full path (e.g. myGroup/mySubGroup/myProject) |
| D | Project名称 | Project name |
| E | Project描述 | GitLab description |
| F | 已checkout分支 | All local branches, one per line |
| G | 分支最新提交时间 | Corresponding commit times, one per line |
| H | SSH Git链接 | ssh_url_to_repo |
| I | 下载时间 | Clone/update timestamp |
| J | Project ID | GitLab project ID (hidden column, used for matching) |
Sort: A (asc) → B (asc) → D (asc)
Formatting: Frozen header row, thin borders on all cells, F/G columns left-aligned with wrap, other columns center-aligned, UTF-8 encoding.
Security
- Token is passed via environment variable, never logged
- After clone, remote URL is reset to remove embedded token
- If clone times out or crashes, a cleanup step removes token from
.git/config
Output Structure
~/Desktop/Code/
├── 01.Index.xlsx
├── myGroup/
│ ├── SubGroup1/
│ │ ├── project-a/
│ │ └── project-b/
│ └── SubGroup2/
│ └── project-c/
└── AnotherGroup/
└── ...
Usage Guidance
Key points to consider before installing or running:
- Manifest mismatch: The package registry metadata does not declare required environment variables or a primary credential, but the SKILL.md and included script require GITLAB_URL and a Personal Access Token (GITLAB_TOKEN). Ask the publisher to update the manifest to declare required env vars and primary credential before trusting installation.
- Token exposure: The script clones using an HTTPS URL that embeds the token (https://oauth2:TOKEN@...). While the script attempts to strip tokens from git config afterwards, embedding the token in the command-line can expose it in the system process list while git runs. Prefer using SSH keys if possible, or use a short-lived token with minimal scopes (only read_api + read_repository as suggested) and run in a trusted environment.
- SSL verification disabled: The code constructs a permissive SSL context (verify_mode = CERT_NONE) to accept self-signed certs. This is convenient for private GitLab instances but increases MITM risk — only use this in networks you trust, or modify the script to enforce certificate verification if possible.
- Runtime pip install: The script will pip-install openpyxl at runtime if missing. That writes to disk and executes code from PyPI. If you need stricter control, pre-install dependencies in a controlled environment (virtualenv) before running.
- Review and run in isolation first: Inspect the full script (already included) for the sanitization logic (_sanitize_remote) and how it handles partial clones and timeouts. Run the tool in a disposable/isolated environment (VM or container) and with a limited-scope token to validate behavior before using it with sensitive production repositories.
- Request fixes or clarifications: Ask the skill author to (1) update registry metadata to declare required env vars/primary credential, (2) document risks of command-line token embedding and process-list exposure, and (3) consider safer clone methods (SSH or credential helpers) and optional SSL verification configuration.
Given these mismatches and token-handling risks, treat the skill as suspicious until the manifest and token handling are clarified and, if necessary, modified.
Capability Analysis
Type: OpenClaw Skill
Name: gitlab-batch-cloner
Version: 1.0.1
The skill bundle is a legitimate and well-engineered utility for batch cloning GitLab repositories and generating an Excel index. It includes robust error handling, parallel processing, and comprehensive unit tests (test_clone_and_index.py). While it uses a permissive SSL context (ssl.CERT_NONE) to accommodate internal GitLab instances with self-signed certificates and auto-installs the 'openpyxl' dependency, these behaviors are explicitly documented and aligned with its stated purpose. The script (clone_and_index.py) also includes security-conscious logic to sanitize Git remote URLs, ensuring that sensitive access tokens are removed from local configurations after cloning.
Capability Assessment
Purpose & Capability
The SKILL.md and code clearly require a GitLab URL and a Personal Access Token (GITLAB_TOKEN) plus other GITLAB_* env vars to operate. However, the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: a GitLab batch-cloner legitimately needs a token, so the manifest should declare it but does not.
Instruction Scope
The instructions are clear about collecting env vars, running the included script, and writing an Excel file under the user-specified base directory — these are within scope. However, the SKILL.md asserts the token is 'never logged' and sanitized, while the implementation clones via an HTTPS URL embedding the token (git clone https://oauth2:TOKEN@...). Embedding the token in the command-line can expose it in the system process list for the duration of the clone. The script also disables SSL verification for HTTPS API calls to support self-signed certs (SSL_VERIFY disabled), which increases MITM risk. These implementation details contradict the simple 'token never logged' reassurance and should be called out.
Install Mechanism
There is no declared install spec (instruction-only), but the included script bootstraps a dependency at runtime (it runs pip install openpyxl if missing). That means the skill will execute package installation during runtime, which writes to disk and runs external code via pip. This is not malicious per se for a script that needs Excel writing, but it is an installation-like behavior not reflected in the registry install metadata.
Credentials
The script legitimately requires sensitive credentials (GITLAB_TOKEN) and other GITLAB_* environment variables (URL, GROUPS, BASE_DIR, MODE, WORKERS, TOTAL_TIMEOUT). These are proportional to the purpose. The problem is that the registry manifest does not declare any required env vars/primary credential while the SKILL.md and code do. Additionally, the code's use of embedded HTTPS tokens and disabled SSL verification increases the sensitivity of that token beyond normal use; a user should minimize token scope and be aware of exposure risks.
Persistence & Privilege
The skill does not request permanent platform-wide privileges (always:false) and does not modify other skills or system-wide agent settings. It writes files only under the user-specified local base directory (clones repos, writes 01.Index.xlsx) which is expected for this tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install gitlab-batch-cloner - After installation, invoke the skill by name or use
/gitlab-batch-cloner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
update
v1.0.0
Init
Metadata
Frequently Asked Questions
What is GitLab Batch Cloner?
Batch clone GitLab group projects with branch checkout and Excel indexing. Use when user needs to clone all projects from a GitLab group, organize by group s... It is an AI Agent Skill for Claude Code / OpenClaw, with 265 downloads so far.
How do I install GitLab Batch Cloner?
Run "/install gitlab-batch-cloner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is GitLab Batch Cloner free?
Yes, GitLab Batch Cloner is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does GitLab Batch Cloner support?
GitLab Batch Cloner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created GitLab Batch Cloner?
It is built and maintained by pangfan (@pangfan); the current version is v1.0.1.
More Skills