← 返回 Skills 市场
自动周报助手
作者
Carson1012
· GitHub ↗
· v1.0.0
· MIT-0
123
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install weekly-report-ai
功能描述
自动整理周报工具。支持从多个数据源(GitHub、飞书文档、日历)汇总工作内容,生成Markdown周报。支持保存历史、AI摘要、导出PDF/HTML、发送邮件、写入飞书文档。适用于需要定期总结工作成果的用户。
安全使用建议
This skill appears to do what it claims, but review these before installing/using: 1) Credentials: the scripts require GitHub/Feishu/SMTP/Google credentials even though the registry metadata lists none — supply tokens securely (prefer environment variables or a secrets store, not raw CLI args) and avoid embedding passwords in shell history. 2) Local storage: reports and metadata are saved under ~/.weekly-report/history/ — check permissions and clean sensitive contents if needed. 3) Dependencies: ensure Python packages (requests, PyGithub, googleapiclient) and optional tools (pandoc, xelatex) are installed in a controlled environment. 4) Bugs: there are minor code bugs (incorrect datetime.timedelta usage in history_manager) you may want to fix before automated runs. 5) Least privilege: create and use scoped API tokens (short-lived or limited-permission tokens) and revoke them if you stop using the skill. If you want, I can point out exact lines to change for safer credential handling or help produce hardened example usage (env var approach, prompting for secrets, file-permissions).
功能分析
Type: OpenClaw Skill
Name: weekly-report-ai
Version: 1.0.0
The skill bundle is a functional weekly report generator that aggregates data from GitHub, Feishu, and Google Calendar. It is classified as suspicious because it possesses several high-risk capabilities that, while aligned with its stated purpose, present a significant attack surface. These include sending emails via SMTP using user-provided credentials (email_sender.py), executing external shell commands via subprocess for PDF conversion (export_pdf.py), and performing local filesystem writes for history management (history_manager.py). No evidence of intentional malice or data exfiltration was found, but the scripts lack robust input sanitization, such as in the regex-based Markdown-to-HTML conversion which is vulnerable to XSS, and the potential for path traversal in history management.
能力评估
Purpose & Capability
The skill's name/description match the included scripts: GitHub, Feishu, calendar fetching, report generation, PDF/HTML export, email sending, and local history management. However, the registry metadata declares no required environment variables/credentials while the SKILL.md and the scripts clearly require secrets (GitHub token, Feishu token, SMTP credentials or Google credentials file). That mismatch is an inconsistency (likely metadata omission) but not evidence of malicious behavior.
Instruction Scope
Runtime instructions and scripts operate within the expected scope: they call GitHub/Feishu/calendar APIs and write reports to ~/.weekly-report/history/. They do not call unknown external endpoints. A notable operational detail: the SKILL.md and sample commands suggest passing tokens/passwords on the command line, which can leak to shell history and process listings; the Google calendar path expects a local credentials file. Also check the code quality issues (e.g., a couple of datetime.timedelta references that will raise errors) before automated scheduling.
Install Mechanism
This is an instruction-only skill with bundled scripts and no install spec that downloads remote code. No external installers or unpacking from arbitrary URLs are used, so installation risk is low. The code imports external Python packages (requests, PyGithub, googleapiclient), so you must ensure a safe runtime environment with those dependencies.
Credentials
Although the registry metadata lists no required environment variables, the scripts require sensitive credentials (GitHub personal access token, Feishu access token, Google credentials file, SMTP username/password). Those credentials are reasonable for the described integrations, but the metadata omission is misleading. Also, passing sensitive secrets on command line arguments (examples in SKILL.md) can expose them via process listings or shell history — a privacy risk to consider.
Persistence & Privilege
The skill writes report files and metadata into its own user-scoped directory (~/.weekly-report/history/) which is appropriate for its purpose. It does not request always:true, does not modify other skills, and does not attempt to change system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install weekly-report-ai - 安装完成后,直接呼叫该 Skill 的名称或使用
/weekly-report-ai触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
首次发布 - 支持GitHub/飞书/日历数据源,支持生成Markdown/HTML/PDF,支持邮件发送和飞书文档写入
元数据
常见问题
自动周报助手 是什么?
自动整理周报工具。支持从多个数据源(GitHub、飞书文档、日历)汇总工作内容,生成Markdown周报。支持保存历史、AI摘要、导出PDF/HTML、发送邮件、写入飞书文档。适用于需要定期总结工作成果的用户。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 123 次。
如何安装 自动周报助手?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install weekly-report-ai」即可一键安装,无需额外配置。
自动周报助手 是免费的吗?
是的,自动周报助手 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
自动周报助手 支持哪些平台?
自动周报助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 自动周报助手?
由 Carson1012(@carson1012)开发并维护,当前版本 v1.0.0。
推荐 Skills