Quality audit for merged GitCode PRs: sample by time range or repo list, check compliance (labels, comments, tests, size, etc.), output table. Use when user...
Security Analysis
high confidenceThe skill and its included script are coherent with the stated purpose (auditing merged GitCode PRs), request only a GitCode token, have no installation step, and do not exhibit obvious exfiltration or unrelated privileges.
Name/description ask for GitCode PR audits and the code/README only use the GitCode API (GITCODE_TOKEN). Requested credential (GITCODE_TOKEN) and behaviors (listing PRs, comments, labels, writing report files) match the declared purpose.
SKILL.md instructs running the bundled Python script with repository/time arguments. The instructions and script operate on PR data from api.gitcode.com and write Markdown/CSV outputs; they do not request unrelated files or network endpoints. The README explicitly forbids faking results and requires at least one --repo before running.
No install spec is provided; this is an instruction-only skill with a local Python script that relies only on the standard library. No remote downloads or archive extraction occur.
Only GITCODE_TOKEN is required and declared as the primary credential. The script attempts to read process env and (on Windows) user/system env via a powershell call—this is consistent with the documented token resolution and appropriate for accessing the GitCode API.
The skill is not always-included and does not request system-wide changes. It writes output files only when the user specifies an --output path and reads a config.json from its own skill root by default; these behaviors are appropriate for a reporting tool.
Guidance
This skill appears coherent and limited to GitCode PR auditing. Before installing or running: 1) review the bundled scripts (they are included) to ensure no local modifications were made; 2) supply a least-privilege GITCODE_TOKEN (personal access token scoped only to read repositories/PRs); 3) run in an environment where writing the chosen --output path cannot overwrite sensitive files; 4) if you use Windows, note the script invokes PowerShell to read user/system environment variables—if you prefer, set the token only in the process environment before running. If you want higher assurance, run the script on a copy of the repository metadata or in an isolated/test account first.
Latest Release
v1.0.0
🎉 Initial release of gitcode-pr-audit - Provides quality audit for merged GitCode PRs across multiple repositories. - Samples PRs by time range or PR list, analyzes 8 key compliance dimensions (labels, comments, tests, size, etc.). - Outputs results as a Markdown or CSV table; command-line tool, Python 3.7+ stdlib only. - Flexible parameter parsing, with robust multi-repo and branch support. - Requires GITCODE_TOKEN for authentication; supports Linux/macOS/Windows.
More by @autoxj
Published by @autoxj on ClawHub
