← 返回 Skills 市场
openclaw-gitcode-pr-monitor
作者
mingyang1996
· GitHub ↗
· v0.1.2
· MIT-0
280
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-gitcode-pr-monitor
功能描述
Monitor GitCode PRs for one or more repos, auto-run AI review via OpenClaw Gateway, post PR comments, and send notifications (DingTalk + WeCom).
安全使用建议
This package looks like a legitimate GitCode PR monitor and reviewer, but the published metadata is incomplete. Before installing or running it:
- Verify you have an official OpenClaw CLI binary and confirm the OPENCLAW_CMD used by scripts points to a trusted binary. The scripts call openclaw message send and openclaw agent which will transmit content externally.
- Provide and protect the GitCode token: the scripts expect $HOME/.openclaw/workspace/data/gitcode-token.txt. Ensure this file is readable only by the intended user (chmod 600) and stored in a secure workspace.
- Confirm you want automatic posting of comments and notifications. The submit-pr-comment.sh will post the full generated report as a PR comment using your GitCode token.
- Ensure required helper binaries are present (curl, jq). The metadata doesn't declare them.
- Inspect ~/.openclaw/openclaw.json and your OpenClaw messaging channel configurations so the TARGET_WECOM/TARGET_DINGTALK bindings do what you expect and do not leak reports to unintended recipients.
- Because the metadata omitted required credentials/config paths and required binaries, treat this package as 'suspicious' until you confirm and secure the above items. If you need higher assurance, request the publisher to update the skill metadata to declare required env vars, credentials, and binaries (GitCode token, openclaw CLI, notification targets) and to document expected network endpoints.
功能分析
Type: OpenClaw Skill
Name: openclaw-gitcode-pr-monitor
Version: 0.1.2
The skill bundle provides a legitimate pipeline for monitoring GitCode Pull Requests and performing automated AI-driven code reviews. It consists of shell scripts (`monitor-gitcode-pr.sh`, `code-review-robust.sh`, `submit-pr-comment.sh`) that poll the GitCode API, trigger the OpenClaw agent to analyze code diffs, and post the resulting reports back to the PR and notification channels like DingTalk and WeCom. The scripts handle authentication via a local token file and implement standard operational features like session isolation and file-based locking. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
能力评估
Purpose & Capability
The scripts implement a GitCode PR monitor + reviewer and use the GitCode API, OpenClaw CLI, and notification channels (DingTalk/WeCom) — which fits the stated purpose — but the registry metadata lists no required env vars, credentials, or binaries. In practice the skill expects: a GitCode token file ($HOME/.openclaw/workspace/data/gitcode-token.txt), an OpenClaw CLI binary (OPENCLAW_CMD or openclaw in PATH), curl and jq, and notification targets (TARGET_DINGTALK / TARGET_WECOM). Those were not declared in the skill metadata and should have been.
Instruction Scope
The SKILL.md and scripts stay within the described purpose: polling GitCode APIs, invoking an OpenClaw agent to produce a Markdown report, posting comments to GitCode, and sending notifications. The instructions reference concrete files/paths (workspace data, logs, lockfiles, ~/.openclaw/openclaw.json for WeCom channel) and call external endpoints (gitcode.com and OpenClaw messaging). Nothing in the scripts asks for unrelated host data, but they do assume access to workspace files and the local openclaw CLI.
Install Mechanism
No install spec or remote downloads are present; the package is script-based and writes nothing during 'install'. Risk is limited to runtime behavior of the scripts rather than an installer fetching arbitrary code.
Credentials
The scripts require a GitCode PRIVATE-TOKEN (stored in a file) and notification target env vars, and they expect a wecom-app channel configuration in ~/.openclaw/openclaw.json. The registry metadata listed none of these credentials or config paths. Requiring a GitCode token is reasonable for the purpose, but the omission in metadata is an incoherence and increases the chance the user will miss that sensitive secret must be supplied and protected.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It writes state, logs, and reports under the OpenClaw workspace (normal for a monitor) and uses /tmp lockfiles; these are expected for a cron-run monitor.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-gitcode-pr-monitor - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-gitcode-pr-monitor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.2
Further sanitize package: remove hardcoded repo defaults and absolute local install paths; use env-based config and PATH discovery.
v0.1.1
Anonymize default repo names (remove real wifi/dhcp repo identifiers); add env-based repo configuration.
v0.1.0
Initial release: multi-repo GitCode PR monitoring + OpenClaw AI review + DingTalk/WeCom notifications.
元数据
常见问题
openclaw-gitcode-pr-monitor 是什么?
Monitor GitCode PRs for one or more repos, auto-run AI review via OpenClaw Gateway, post PR comments, and send notifications (DingTalk + WeCom). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 280 次。
如何安装 openclaw-gitcode-pr-monitor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-gitcode-pr-monitor」即可一键安装,无需额外配置。
openclaw-gitcode-pr-monitor 是免费的吗?
是的,openclaw-gitcode-pr-monitor 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
openclaw-gitcode-pr-monitor 支持哪些平台?
openclaw-gitcode-pr-monitor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 openclaw-gitcode-pr-monitor?
由 mingyang1996(@mingyang1996)开发并维护,当前版本 v0.1.2。
推荐 Skills