← Back to Skills Marketplace
141
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install zentao-autoreport
Description
禅道自动记工时技能。用户描述今天做了什么事,自动搜索匹配任务,确认后调用禅道API记录工时。支持智能匹配、自动重新登录、正确计算剩余工时。使用 recordworkhour 接口,适配禅道 21.x 开源版。
Usage Guidance
This skill appears to implement what it claims, but review a few risks before installing:
- Credentials handling: You must provide account/password (or token) and the skill expects them in plaintext at $HOME/.config/zentao/.env. If you proceed, restrict that file's permissions (chmod 600) and consider using an API token instead of a password where possible.
- Shell-script env loading: The bundled .sh scripts use 'export $(cat <file> | xargs)' to load the .env. That approach can evaluate command substitutions if the file contains crafted values; ensure you create the .env yourself (do not paste untrusted content) and inspect it before use.
- Command/argument interpolation: The scripts embed user-provided descriptions into shell/python invocations. If you plan to run these scripts on a shared or untrusted machine, validate inputs to prevent accidental injection. Prefer the Python scripts over the shell ones when possible (they are easier to audit and avoid shell word-splitting quirks).
- Endpoint trust: The code will POST workhours to whatever ZENTAO_URL you supply. Double-check that URL (use HTTPS) to avoid sending credentials/work entries to a wrong or malicious server.
- Data exposure: The matching step prints full task lists and JSON; this will surface internal task metadata into the agent/UI. If that is sensitive, consider restricting output or running locally.
If you are comfortable with these caveats (and/or can run the scripts in a local, trusted environment and set secure file permissions), the skill is functionally coherent. If you have limited ability to enforce file permissions or are concerned about credential storage, do not install or require using an API token and manually inspect and run the Python scripts instead of the shell variants.
Capability Analysis
Type: OpenClaw Skill
Name: zentao-autoreport
Version: 1.0.2
The skill automates Zentao work reporting but contains several security vulnerabilities. Specifically, scripts/match-tasks.sh and scripts/report.sh are vulnerable to code injection because they embed unsanitized shell variables (like $USER_DESC) directly into Python one-liners executed via 'python3 -c'. Additionally, the skill stores Zentao credentials in plaintext in $HOME/.config/zentao/.env and session cookies in /tmp/cookies.txt, which are insecure practices. While these appear to be unintentional flaws rather than intentional malware, they represent significant security risks.
Capability Assessment
Purpose & Capability
Name/description (auto report to 禅道) align with the shipped scripts: they log in, fetch user tasks, perform simple semantic matching, and call recordworkhour. All network calls go to the user-supplied ZENTAO_URL or local /tmp cookie file, which is coherent with purpose.
Instruction Scope
SKILL.md correctly instructs the agent to ask for ZENTAO_URL/ACCOUNT/PASSWORD/(optional)TOKEN and to save them under $HOME/.config/zentao/.env; the scripts read only that config (and /tmp/cookies.txt) and interact with the Zentao endpoints. Note: the README implies the skill will save the config, but the provided scripts only read the file — the agent or user must create it. Also the scripts print full task lists (including task JSON), which is expected for matching but will expose internal project data to whatever UI/context the agent uses.
Install Mechanism
Instruction-only with bundled scripts, no external downloads or installers. No network fetch of third-party code. Low install mechanism risk.
Credentials
Requesting ZENTAO_ACCOUNT, ZENTAO_PASSWORD, and optional ZENTAO_TOKEN is proportionate to the stated task. However the registry metadata lists no required env vars while the SKILL.md asks the user to store credentials in $HOME/.config/zentao/.env — an inconsistency to be aware of. Additional concerns: the shell scripts load the .env via 'export $(cat "$CONFIG_FILE" | xargs)', which can cause shell evaluation/command-substitution if the .env contains malicious constructs; storing plaintext credentials in a config file on disk is also a sensitive decision (file permissions and host trust matter).
Persistence & Privilege
The skill is user-invocable and not always:true. It does not request persistent elevated privileges or modify other skills. It expects a per-user config file under ~/.config/zentao, which is reasonable for this functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zentao-autoreport - After installation, invoke the skill by name or use
/zentao-autoreport - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
zentao-autoreport 1.0.2
- 增加 ZENTAO_TOKEN 配置项支持,允许通过 API Token 获取任务信息(可选)
- 配置文件支持更灵活的位置描述(如 $HOME/.config/zentao/.env)
- 优化登录与会话说明,强调自动会话管理
- 脚本和文档同步更新,细化自动登录和任务匹配流程描述
v1.0.1
- 新增智能匹配用户输入的工作描述到禅道任务,自动确认后记录工时
- 支持自动获取和保存禅道账号配置,并在登录失效时自动重新登录
- 自动查询任务剩余工时并正确计算新剩余工时
- 完全适配禅道 21.x 开源版和新版 RND UI 的 recordworkhour 接口
- 支持 Python 和 Shell 双版本脚本自动优先选择运行
Metadata
Frequently Asked Questions
What is 禅道自动报告?
禅道自动记工时技能。用户描述今天做了什么事,自动搜索匹配任务,确认后调用禅道API记录工时。支持智能匹配、自动重新登录、正确计算剩余工时。使用 recordworkhour 接口,适配禅道 21.x 开源版。 It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.
How do I install 禅道自动报告?
Run "/install zentao-autoreport" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 禅道自动报告 free?
Yes, 禅道自动报告 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 禅道自动报告 support?
禅道自动报告 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 禅道自动报告?
It is built and maintained by K (@crecendow); the current version is v1.0.2.
More Skills