Fetch and query data from GitCode platform via its REST API: repositories, branches, issues, pull requests, commits, tags, users, organizations, search, webh...
Security Analysis
high confidenceThe skill's requirements and runtime instructions match its stated purpose (calling the GitCode REST API) and the included setup script only reads or writes a local GITCODE_TOKEN environment variable — nothing appears disproportionate or hidden.
Name/description promise full GitCode API access; required env var is only GITCODE_TOKEN and files/docs enumerate the v5 endpoints. Nothing requested (no extra credentials, binaries, or config paths) is unrelated to querying/managing GitCode.
SKILL.md instructs the agent to read GITCODE_TOKEN from the environment and to call GitCode API endpoints (base URL https://api.gitcode.com/api/v5). It also suggests optionally running scripts/setup_gitcode_token.py to help set the env var. The script legitimately queries process/user/machine env vars on Windows and can write a User env var on Windows or print an export line for Unix; this is within scope but is persistent behavior the user should be aware of.
No install spec and no third-party downloads; the skill is instruction-only with one small helper script (pure Python standard library). This is low risk and coherent with the stated purpose.
Only GITCODE_TOKEN is required and declared as primaryEnv — appropriate for API access. The helper script encourages persisting the token as a Windows User env var or adding an export line on Unix; storing tokens in environment variables is common but makes the secret available to local processes and persisted on disk via shell rc files, so users should use least-privilege tokens and avoid sharing them.
always:false and the skill does not request elevated privileges. The only persistent action is the optional setup script writing a Windows User environment variable (or printing an export recommendation on Unix). That behavior is expected for a token setup helper but is persistent and worth noting.
Guidance
This skill appears coherent: it only needs a GitCode personal access token and includes a small helper script to check or store that token as an environment variable. Before installing: (1) confirm you trust the skill author/source (source/homepage are unknown); (2) create a token with the minimum scopes needed (read_api/read_repository rather than full admin rights); (3) avoid pasting tokens into public chat or code examples; (4) if you don't want persistence, don't run the --set action — instead export the token only in the current shell session; (5) if you run the setup script on Windows it will write a User env var (persistent) — revoke the token if you suspect compromise. If you want extra assurance, inspect reference.md and the setup script (both included) — they are short and transparent.
Latest Release
v1.0.0
Initial release of gitcode. - Fetch and query data from the GitCode platform via its REST API, supporting repositories, branches, issues, pull requests, commits, tags, users, organizations, search, webhooks, members, and releases. - Requires Python 3.7+ standard library only; no external dependencies. - Authentication managed through the GITCODE_TOKEN environment variable, with a setup script provided. - Includes thorough API, usage instructions, error codes, and examples for all endpoints in reference and examples documentation. - Documentation available in both English and Chinese.
More by @autoxj
Published by @autoxj on ClawHub
