← 返回 Skills 市场
265
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install gitlab-batch-cloner
功能描述
Batch clone GitLab group projects with branch checkout and Excel indexing. Use when user needs to clone all projects from a GitLab group, organize by group s...
使用说明 (SKILL.md)
Clone GitLab Skill
Batch clone all projects from GitLab group(s), maintain folder hierarchy, checkout key branches, and generate an Excel index.
When to Use
- User wants to batch clone all projects from one or more GitLab top-level groups
- Need to maintain original group/subgroup folder hierarchy locally
- Need to checkout multiple branches (default + latest active + release/prod)
- Need an Excel index file (
01.Index.xlsx) with per-group sheets
Requirements
Before starting, collect from user:
| Parameter | Required | Default | Notes |
|---|---|---|---|
| GitLab URL | ✅ | — | e.g. https://gitlab.company.com |
| Personal Access Token | ✅ | — | Needs read_api + read_repository scopes |
| Target Group(s) | ✅ | — | Group/sub-group/project paths, comma-separated. Supports: top-level group (myGroup), sub-group path (myGroup/mySubGroup), or direct project path (myGroup/mySubGroup/my-project) |
| Local Storage Path | ❌ | ~/Desktop/Code |
Where repos are stored |
| Auth Method | ❌ | HTTPS+Token | Or SSH if key is configured |
| Mode | ❌ | clone | clone (default), update (pull only), or sync (clone+pull+cleanup stale Excel rows) |
| Workers | ❌ | 4 | Parallel clone workers (GITLAB_WORKERS) |
| Total Timeout | ❌ | 0 (none) | Global timeout in seconds (GITLAB_TOTAL_TIMEOUT). 0=no limit |
Workflow
Step 1: Collect Input
Ask user for the 4 parameters above. Pass them as environment variables to the script:
GITLAB_URL, GITLAB_TOKEN, GITLAB_GROUPS (comma-separated), GITLAB_BASE_DIR
Step 2: Run the Script
cd \x3Cskill-dir>/scripts
python3 clone_and_index.py
The script handles everything:
- Resolves each input path — auto-detects if it's a top-level group, sub-group, or direct project
- For top-level groups: fetches all subgroups recursively (skips if access denied)
- For sub-group paths (e.g.
myGroup/mySubGroup): directly resolves and syncs that sub-group and its descendants only - For direct project paths: syncs only that specific project
- Clones new projects / pulls existing ones (with 5-min timeout per project)
- Uses multiprocessing for parallel clone/pull (process-group kill on timeout to prevent orphan git processes)
- Checks out branches: default + latest active + release/prod
- Incrementally updates
01.Index.xlsxevery 50 projects (so partial results survive crashes) - On SIGTERM/SIGINT, emergency-flushes pending results to Excel before exit
- Prints per-group project counts during discovery and real-time progress with elapsed time
- In
syncmode, the final Excel write removes rows for deleted/archived projects and handles cross-group migrations
Step 3: Report Results
After the script finishes, report:
- Total projects cloned/updated
- Any failed/timed-out projects (the script prints a summary table)
Modes
Update Only
If projects already exist and user just wants to update:
GITLAB_MODE=update python3 clone_and_index.py
This skips clone, only does git fetch --all && git pull on existing repos, re-checkouts branches, and refreshes the Excel.
Sync (Full Sync with Cleanup)
For a complete sync that also cleans up stale data in the Excel:
GITLAB_MODE=sync python3 clone_and_index.py
This behaves like clone mode (new repos are cloned, existing ones are pulled), but additionally:
- Removes Excel rows for projects that no longer exist on GitLab (deleted/archived)
- Handles projects that moved between groups (updates path, removes old row)
- Only cleans up sheets belonging to the groups specified in
GITLAB_GROUPS(won't touch other groups' data)
Excel Specification
File: 01.Index.xlsx inside \x3Clocal-path>/ (e.g. ~/Desktop/Code/01.Index.xlsx)
Sheets: One sheet per top-level group (sheet name = group name, e.g. "myGroup")
Columns:
| Col | Field | Content |
|---|---|---|
| A | 主Group名称 | Top-level group (e.g. myGroup) |
| B | 子Group路径 | Full group path without project name |
| C | Project路径 | Full path (e.g. myGroup/mySubGroup/myProject) |
| D | Project名称 | Project name |
| E | Project描述 | GitLab description |
| F | 已checkout分支 | All local branches, one per line |
| G | 分支最新提交时间 | Corresponding commit times, one per line |
| H | SSH Git链接 | ssh_url_to_repo |
| I | 下载时间 | Clone/update timestamp |
| J | Project ID | GitLab project ID (hidden column, used for matching) |
Sort: A (asc) → B (asc) → D (asc)
Formatting: Frozen header row, thin borders on all cells, F/G columns left-aligned with wrap, other columns center-aligned, UTF-8 encoding.
Security
- Token is passed via environment variable, never logged
- After clone, remote URL is reset to remove embedded token
- If clone times out or crashes, a cleanup step removes token from
.git/config
Output Structure
~/Desktop/Code/
├── 01.Index.xlsx
├── myGroup/
│ ├── SubGroup1/
│ │ ├── project-a/
│ │ └── project-b/
│ └── SubGroup2/
│ └── project-c/
└── AnotherGroup/
└── ...
安全使用建议
Key points to consider before installing or running:
- Manifest mismatch: The package registry metadata does not declare required environment variables or a primary credential, but the SKILL.md and included script require GITLAB_URL and a Personal Access Token (GITLAB_TOKEN). Ask the publisher to update the manifest to declare required env vars and primary credential before trusting installation.
- Token exposure: The script clones using an HTTPS URL that embeds the token (https://oauth2:TOKEN@...). While the script attempts to strip tokens from git config afterwards, embedding the token in the command-line can expose it in the system process list while git runs. Prefer using SSH keys if possible, or use a short-lived token with minimal scopes (only read_api + read_repository as suggested) and run in a trusted environment.
- SSL verification disabled: The code constructs a permissive SSL context (verify_mode = CERT_NONE) to accept self-signed certs. This is convenient for private GitLab instances but increases MITM risk — only use this in networks you trust, or modify the script to enforce certificate verification if possible.
- Runtime pip install: The script will pip-install openpyxl at runtime if missing. That writes to disk and executes code from PyPI. If you need stricter control, pre-install dependencies in a controlled environment (virtualenv) before running.
- Review and run in isolation first: Inspect the full script (already included) for the sanitization logic (_sanitize_remote) and how it handles partial clones and timeouts. Run the tool in a disposable/isolated environment (VM or container) and with a limited-scope token to validate behavior before using it with sensitive production repositories.
- Request fixes or clarifications: Ask the skill author to (1) update registry metadata to declare required env vars/primary credential, (2) document risks of command-line token embedding and process-list exposure, and (3) consider safer clone methods (SSH or credential helpers) and optional SSL verification configuration.
Given these mismatches and token-handling risks, treat the skill as suspicious until the manifest and token handling are clarified and, if necessary, modified.
功能分析
Type: OpenClaw Skill
Name: gitlab-batch-cloner
Version: 1.0.1
The skill bundle is a legitimate and well-engineered utility for batch cloning GitLab repositories and generating an Excel index. It includes robust error handling, parallel processing, and comprehensive unit tests (test_clone_and_index.py). While it uses a permissive SSL context (ssl.CERT_NONE) to accommodate internal GitLab instances with self-signed certificates and auto-installs the 'openpyxl' dependency, these behaviors are explicitly documented and aligned with its stated purpose. The script (clone_and_index.py) also includes security-conscious logic to sanitize Git remote URLs, ensuring that sensitive access tokens are removed from local configurations after cloning.
能力评估
Purpose & Capability
The SKILL.md and code clearly require a GitLab URL and a Personal Access Token (GITLAB_TOKEN) plus other GITLAB_* env vars to operate. However, the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: a GitLab batch-cloner legitimately needs a token, so the manifest should declare it but does not.
Instruction Scope
The instructions are clear about collecting env vars, running the included script, and writing an Excel file under the user-specified base directory — these are within scope. However, the SKILL.md asserts the token is 'never logged' and sanitized, while the implementation clones via an HTTPS URL embedding the token (git clone https://oauth2:TOKEN@...). Embedding the token in the command-line can expose it in the system process list for the duration of the clone. The script also disables SSL verification for HTTPS API calls to support self-signed certs (SSL_VERIFY disabled), which increases MITM risk. These implementation details contradict the simple 'token never logged' reassurance and should be called out.
Install Mechanism
There is no declared install spec (instruction-only), but the included script bootstraps a dependency at runtime (it runs pip install openpyxl if missing). That means the skill will execute package installation during runtime, which writes to disk and runs external code via pip. This is not malicious per se for a script that needs Excel writing, but it is an installation-like behavior not reflected in the registry install metadata.
Credentials
The script legitimately requires sensitive credentials (GITLAB_TOKEN) and other GITLAB_* environment variables (URL, GROUPS, BASE_DIR, MODE, WORKERS, TOTAL_TIMEOUT). These are proportional to the purpose. The problem is that the registry manifest does not declare any required env vars/primary credential while the SKILL.md and code do. Additionally, the code's use of embedded HTTPS tokens and disabled SSL verification increases the sensitivity of that token beyond normal use; a user should minimize token scope and be aware of exposure risks.
Persistence & Privilege
The skill does not request permanent platform-wide privileges (always:false) and does not modify other skills or system-wide agent settings. It writes files only under the user-specified local base directory (clones repos, writes 01.Index.xlsx) which is expected for this tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gitlab-batch-cloner - 安装完成后,直接呼叫该 Skill 的名称或使用
/gitlab-batch-cloner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
update
v1.0.0
Init
元数据
常见问题
GitLab Batch Cloner 是什么?
Batch clone GitLab group projects with branch checkout and Excel indexing. Use when user needs to clone all projects from a GitLab group, organize by group s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 265 次。
如何安装 GitLab Batch Cloner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gitlab-batch-cloner」即可一键安装,无需额外配置。
GitLab Batch Cloner 是免费的吗?
是的,GitLab Batch Cloner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
GitLab Batch Cloner 支持哪些平台?
GitLab Batch Cloner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 GitLab Batch Cloner?
由 pangfan(@pangfan)开发并维护,当前版本 v1.0.1。
推荐 Skills