Generate release notes for GitCode repositories from commits (by tag range or since-date), grouped as feat/fix/docs/other, output Markdown for Release pages....
Security Analysis
high confidenceThe skill's requirements and instructions match its stated purpose: it calls the GitCode API using a GITCODE_TOKEN, outputs commit data as JSON, and expects the agent to summarize that into release notes.
Name/description: generate release notes from GitCode commits. Declared requirement: GITCODE_TOKEN. Script code calls api.gitcode.com endpoints, lists branches/tags/commits and processes commit messages. The requested credential and network targets are appropriate and proportional to the stated purpose.
SKILL.md precisely instructs: run the included Python script with --json, parse stdout JSON, then summarize and produce Markdown. Instructions explicitly forbid fabricating data or leaking commit IDs/links. The script’s behavior (pull commits, basic filtering) aligns with those instructions and does not ask for unrelated files, system state, or external endpoints beyond GitCode.
No install spec — instruction-only with an included Python script that uses only the standard library. No downloads or archive extraction. This is low-risk and proportionate for a script-based skill.
Only GITCODE_TOKEN is required (declared as primaryEnv). The script reads the token from process env or, on Windows, via a PowerShell call to read user/system environment variables; that use of subprocess is limited to credential retrieval and is reasonable for cross-platform support. No other secrets or unrelated env vars are requested.
always is false; skill is user-invocable and can be autonomously invoked per platform defaults (not flagged alone). The skill does not request permanent system-wide changes or access to other skills' configs.
Guidance
This skill appears coherent and implements what it claims. Before installing: (1) ensure the GITCODE_TOKEN you provide has only the minimal read scopes required (read_api/read_repository); avoid using a token with write/admin scopes. (2) Review or run the included scripts in a safe environment if you have concerns—there is a subprocess call used only to read Windows environment variables via PowerShell. (3) The script communicates only with api.gitcode.com; if your environment restricts outbound network access, allow only that host. (4) When using the skill, verify the produced Markdown before publishing to avoid leaking internal commit IDs or sensitive internal details (the SKILL.md already instructs to remove commit hashes/links).
Latest Release
v1.0.0
- 初始版本发布 - 支持通过 GitCode API 按 tag 区间或日期范围获取 commit 列表 - 自动检测分支(master → develop → main),并支持自定义分支参数 - 从脚本 JSON 输出自动归类(feat/fix/docs/other)、生成规范 Release Notes Markdown
More by @autoxj
Published by @autoxj on ClawHub
