← 返回 Skills 市场
Bug问题上报
作者
WearFlatShoesToWalkTheWorld
· GitHub ↗
· v1.0.0
· MIT-0
85
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install global-bug
功能描述
Bug问题上报技能。当用户说"有xxx问题"、"xxxBug"、"发现xxx问题"时触发,自动将Bug信息添加到企业微信智能表格中。参数映射:问题描述为用户问题,发现问题人员留空,处理进度默认"处理中",严重程度留空,处理人固定"姜春波",发现日期留空,解决时间留空。
使用说明 (SKILL.md)
Bug 问题上报技能
当用户报告问题(如"有xxx问题"、"发现xxxBug")时,自动将问题添加到企业微信智能表格中。
Webhook 配置
接口地址:
https://qyapi.weixin.qq.com/cgi-bin/wedoc/smartsheet/webhook?key=1jziPisqM429DXY1ZZFTwMInCX86CuIDLQvmOCNSHNYWmGesn1PjC9M9SxzhAkDxzK37s9uRTTSQvwiQ9fOxK0Ajpo5SigZ0EMJPPUiVUf3B
字段映射关系:
| 字段名 | 字段ID | 值来源 |
|---|---|---|
| 问题描述 | fafLxW |
用户报告的问题内容 |
| 发现问题的人员 | fF5OvO |
留空 |
| 处理进度 | f9kmWq |
固定值:处理中 |
| 严重程度 | f4LSb8 |
留空 |
| 处理人 | f90ViZ |
固定值:姜春波(text 格式) |
| 发现日期 | frMCUq |
留空 |
| 解决时间 | fsoY1c |
留空 |
请求格式
{
"schema": {
"fafLxW": "问题描述",
"fF5OvO": "发现问题的人员",
"f9kmWq": "处理进度",
"f4LSb8": "严重程度",
"f90ViZ": "处理人",
"frMCUq": "发现日期",
"fsoY1c": "解决时间"
},
"add_records": [
{
"values": {
"fafLxW": "{{问题内容}}",
"fF5OvO": [],
"f9kmWq": [{"text": "处理中"}],
"f4LSb8": [],
"f90ViZ": [{"text": "姜春波"}],
"frMCUq": "",
"fsoY1c": ""
}
}
]
}
工作流
- 当用户说"有xxx问题"时,提取问题内容
- 按照上述格式构造请求 JSON(发现问题的人员、发现日期、解决时间都留空)
- 发送 POST 请求到 Webhook 地址
- 返回操作结果给用户
示例
用户输入:"有登录页面点击按钮无响应问题"
{
"schema": {
"fafLxW": "问题描述",
"fF5OvO": "发现问题的人员",
"f9kmWq": "处理进度",
"f4LSb8": "严重程度",
"f90ViZ": "处理人",
"frMCUq": "发现日期",
"fsoY1c": "解决时间"
},
"add_records": [
{
"values": {
"fafLxW": "登录页面点击按钮无响应问题",
"fF5OvO": [],
"f9kmWq": [{"text": "处理中"}],
"f4LSb8": [],
"f90ViZ": [{"text": "姜春波"}],
"frMCUq": "",
"fsoY1c": ""
}
}
]
}
响应格式
请求成功后,返回格式如下:
✅ 问题已成功上报,会尽快处理
问题描述:xxx
处理进度:处理中
处理人:姜春波
已添加到企业微信智能表格中。
不显示 记录ID 和 发现人 信息。
错误处理
- 如果请求成功(返回 errcode=0),按上述格式回复
- 如果请求失败,返回具体错误信息给用户
安全使用建议
This skill does what it claims (posts reported bugs to a WeChat smart-sheet) but has several red flags you should address before installing. Key recommendations: (1) Do not install until you confirm why the npm package 'mcporter' is required — inspect that package's code and consider removing the install if unused. (2) Replace the hard-coded webhook key with a configured secret (environment variable) and verify who controls the webhook URL; do not expose tokens in skill files. (3) Avoid always:true unless there is a compelling reason; prefer on-demand invocation so user input isn't sent automatically. (4) Verify the webhook owner/trustworthiness and rotate the webhook key if it has been publicly shared. (5) If you must test, run in an isolated environment and audit network traffic and the npm package content. If these issues cannot be resolved or explained by the skill author, treat the package as untrusted and do not install it in production.
功能分析
Type: OpenClaw Skill
Name: global-bug
Version: 1.0.0
The skill contains a command injection vulnerability in `scripts/add_bug.sh` because the user-provided bug description is expanded directly within a shell heredoc (`<<EOF`), potentially allowing arbitrary command execution. Additionally, it hardcodes a sensitive WeChat webhook key in both `SKILL.md` and the shell script, which is a significant security risk. While the stated purpose of reporting bugs to a smartsheet appears legitimate, these implementation flaws pose a risk to the host environment.
能力评估
Purpose & Capability
The skill's behavior (POST bug reports to a WeChat smart-sheet webhook) matches the description, but the declared required binary 'mcporter' (installed via an npm package) is not referenced in the provided runtime script (scripts/add_bug.sh) or SKILL.md workflow. Requiring/installing mcporter appears unnecessary for the described functionality and is disproportionate.
Instruction Scope
Runtime instructions and the script only construct a JSON payload and POST it to a single external webhook URL. They do not read other local files, env vars, or credentials. However the webhook URL (with an embedded key) is hard-coded into SKILL.md and the script, meaning any user-provided text matched as the 'issue' will be transmitted to that external endpoint.
Install Mechanism
The install spec will npm-install a package named 'mcporter' and provide a binary 'mcporter'. The code and instructions do not use this binary, so installing an arbitrary npm package is unnecessary and introduces risk (npm packages execute code at install time and may be untrusted). No well-known release host or justification is provided.
Credentials
The skill requests no env vars, but it embeds a long webhook key directly in SKILL.md and the script. That key functions as a credential granting write access to the remote smart-sheet; hardcoding it in the skill both exposes it to anyone with the skill bundle and makes the skill capable of exfiltrating user-submitted content to that endpoint. Not requesting secrets is not the same as avoiding excessive access.
Persistence & Privilege
The skill metadata sets always: true, meaning it will be force-included in every agent run. Combined with automatic posting to an external webhook, this increases the blast radius: the agent could more easily send user content to the webhook without explicit per-install consent. The always:true flag appears unnecessary for a reactive bug-reporting skill and is risky.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install global-bug - 安装完成后,直接呼叫该 Skill 的名称或使用
/global-bug触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Bug问题上报到企业微信智能表格,发现问题人员/日期留空,处理人固定姜春波
元数据
常见问题
Bug问题上报 是什么?
Bug问题上报技能。当用户说"有xxx问题"、"xxxBug"、"发现xxx问题"时触发,自动将Bug信息添加到企业微信智能表格中。参数映射:问题描述为用户问题,发现问题人员留空,处理进度默认"处理中",严重程度留空,处理人固定"姜春波",发现日期留空,解决时间留空。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 85 次。
如何安装 Bug问题上报?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install global-bug」即可一键安装,无需额外配置。
Bug问题上报 是免费的吗?
是的,Bug问题上报 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Bug问题上报 支持哪些平台?
Bug问题上报 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Bug问题上报?
由 WearFlatShoesToWalkTheWorld(@wearflatshoestowalktheworld)开发并维护,当前版本 v1.0.0。
推荐 Skills