← Back to Skills Marketplace

自动周报助手

Name: 自动周报助手
Author: carson1012

by Carson1012 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

123

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install weekly-report-ai

Description

自动整理周报工具。支持从多个数据源（GitHub、飞书文档、日历）汇总工作内容，生成Markdown周报。支持保存历史、AI摘要、导出PDF/HTML、发送邮件、写入飞书文档。适用于需要定期总结工作成果的用户。

Usage Guidance

This skill appears to do what it claims, but review these before installing/using: 1) Credentials: the scripts require GitHub/Feishu/SMTP/Google credentials even though the registry metadata lists none — supply tokens securely (prefer environment variables or a secrets store, not raw CLI args) and avoid embedding passwords in shell history. 2) Local storage: reports and metadata are saved under ~/.weekly-report/history/ — check permissions and clean sensitive contents if needed. 3) Dependencies: ensure Python packages (requests, PyGithub, googleapiclient) and optional tools (pandoc, xelatex) are installed in a controlled environment. 4) Bugs: there are minor code bugs (incorrect datetime.timedelta usage in history_manager) you may want to fix before automated runs. 5) Least privilege: create and use scoped API tokens (short-lived or limited-permission tokens) and revoke them if you stop using the skill. If you want, I can point out exact lines to change for safer credential handling or help produce hardened example usage (env var approach, prompting for secrets, file-permissions).

Capability Analysis

Type: OpenClaw Skill Name: weekly-report-ai Version: 1.0.0 The skill bundle is a functional weekly report generator that aggregates data from GitHub, Feishu, and Google Calendar. It is classified as suspicious because it possesses several high-risk capabilities that, while aligned with its stated purpose, present a significant attack surface. These include sending emails via SMTP using user-provided credentials (email_sender.py), executing external shell commands via subprocess for PDF conversion (export_pdf.py), and performing local filesystem writes for history management (history_manager.py). No evidence of intentional malice or data exfiltration was found, but the scripts lack robust input sanitization, such as in the regex-based Markdown-to-HTML conversion which is vulnerable to XSS, and the potential for path traversal in history management.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description match the included scripts: GitHub, Feishu, calendar fetching, report generation, PDF/HTML export, email sending, and local history management. However, the registry metadata declares no required environment variables/credentials while the SKILL.md and the scripts clearly require secrets (GitHub token, Feishu token, SMTP credentials or Google credentials file). That mismatch is an inconsistency (likely metadata omission) but not evidence of malicious behavior.

ℹ Instruction Scope

Runtime instructions and scripts operate within the expected scope: they call GitHub/Feishu/calendar APIs and write reports to ~/.weekly-report/history/. They do not call unknown external endpoints. A notable operational detail: the SKILL.md and sample commands suggest passing tokens/passwords on the command line, which can leak to shell history and process listings; the Google calendar path expects a local credentials file. Also check the code quality issues (e.g., a couple of datetime.timedelta references that will raise errors) before automated scheduling.

✓ Install Mechanism

This is an instruction-only skill with bundled scripts and no install spec that downloads remote code. No external installers or unpacking from arbitrary URLs are used, so installation risk is low. The code imports external Python packages (requests, PyGithub, googleapiclient), so you must ensure a safe runtime environment with those dependencies.

⚠ Credentials

Although the registry metadata lists no required environment variables, the scripts require sensitive credentials (GitHub personal access token, Feishu access token, Google credentials file, SMTP username/password). Those credentials are reasonable for the described integrations, but the metadata omission is misleading. Also, passing sensitive secrets on command line arguments (examples in SKILL.md) can expose them via process listings or shell history — a privacy risk to consider.

✓ Persistence & Privilege

The skill writes report files and metadata into its own user-scoped directory (~/.weekly-report/history/) which is appropriate for its purpose. It does not request always:true, does not modify other skills, and does not attempt to change system-wide agent settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install weekly-report-ai
After installation, invoke the skill by name or use /weekly-report-ai
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

首次发布 - 支持GitHub/飞书/日历数据源，支持生成Markdown/HTML/PDF，支持邮件发送和飞书文档写入

Metadata

Slug weekly-report-ai

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is 自动周报助手?

自动整理周报工具。支持从多个数据源（GitHub、飞书文档、日历）汇总工作内容，生成Markdown周报。支持保存历史、AI摘要、导出PDF/HTML、发送邮件、写入飞书文档。适用于需要定期总结工作成果的用户。 It is an AI Agent Skill for Claude Code / OpenClaw, with 123 downloads so far.

How do I install 自动周报助手?

Run "/install weekly-report-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 自动周报助手 free?

Yes, 自动周报助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 自动周报助手 support?

自动周报助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 自动周报助手?

It is built and maintained by Carson1012 (@carson1012); the current version is v1.0.0.

More Skills