Use this skill to generate weekly reports from git commit logs. Automatically analyzes git history, categorizes work, and formats a professional weekly report.
Security Analysis
high confidenceThe skill's stated purpose (generate weekly reports from git and post to Feishu) matches the included scripts, but there are multiple coherence and safety problems: it reads arbitrary Git repos, references undeclared environment variables/credentials, mandates automatic execution and sending to an external endpoint, and advises installing a persistent scheduled task — all without declaring required secrets or asking the user.
The skill claims to generate weekly reports from git and send to Feishu, which aligns with the included scripts. However the registry metadata declares no required env vars/credentials while the included send-to-feishu.sh requires APP_ID/APP_SECRET/RECEIVE_ID and scripts read PROJECT_ROOT. The SKILL.md also hardcodes paths (/Users/ai/cline-skills) and instructs scanning multiple repositories — the declared requirements do not match what the code needs.
SKILL.md instructs the agent to run scripts at absolute paths without asking the user, to scan PROJECT_ROOT for all Git repos, to perform OCR on user screenshots, and — in one section — to automatically send the generated report to Feishu 'must execute' without any user confirmation. Those instructions access lots of local data and transmit results to an external service; they also reference environment variables (PROJECT_ROOT) and files not declared in the skill manifest.
There is no automated install spec (instruction-only), which is lower risk in that nothing is automatically downloaded. However distribution includes scripts and a launchd plist in the documentation; the install docs instruct copying scripts to ~/ai/cline-skills and creating a launchd job. The lack of a formal install spec means nothing prevents the agent from instructing the user (or itself) to create persistent tasks — this is a functional but notable gap.
The skill manifest lists no required environment variables or credentials, but the code and docs require/expect: PROJECT_ROOT (path to scan) and Feishu credentials (APP_ID, APP_SECRET, RECEIVE_ID/open_id). APP_SECRET is sensitive; the docs even instruct editing the script to embed it (which is poor practice). The SKILL.md also references git config and will access the user's repositories — credential and scope requests are under-specified and disproportionate to the manifest.
The documentation describes creating a macOS launchd entry to run weekly and the skill enforces automatic sending semantics in SKILL.md. While the skill metadata doesn't set always:true, the provided instructions encourage persistent scheduled execution and automated push to an external service without per-run consent — this raises persistence and privilege concerns.
Guidance
This skill will scan directories of Git repositories and build a report file, then send the report to a Feishu (Lark) API. Key things to consider before installing or using it: - Credentials and secrets: send-to-feishu.sh requires APP_ID and APP_SECRET (sensitive). The skill manifest does not declare these — verify and never store APP_SECRET in a repo or world-readable file. Use a least-privilege service account and keep secrets in a safe place (not embedded in scripts). - Repository scope and data exfiltration: the scripts scan PROJECT_ROOT for all Git repos and collect commit messages and code-change statistics. Ensure PROJECT_ROOT is set to a safe, restricted path (or test in a throwaway environment) so you don't inadvertently expose private repos or secrets. - Automatic sending and consent: SKILL.md instructs automatic sending to Feishu without asking the user. If you want manual control, modify the workflow to require explicit user confirmation before calling send-to-feishu.sh. - Persistent scheduling: the docs show creating a launchd task. If you do not want automatic periodic scans, do not install or load the scheduled job. Review any plist before loading. - Audit the scripts: review send-to-feishu.sh and auto-weekly-report.sh yourself — they are short but perform network calls (curl, urllib) and file system traversal. Confirm the exact data sent (send-to-feishu.sh truncates to 3000 chars) and adjust as needed. - Safer alternatives: run the scripts manually in an isolated environment, point PROJECT_ROOT to a single repo, and configure Feishu credentials via secure env vars rather than editing the script. Consider requiring explicit user approval in the SKILL.md before any network call. If you trust the author and will restrict paths and secrets appropriately, the functionality is coherent; otherwise treat this skill as risky and prefer manual review/testing first.
Latest Release
v1.0.0
周报生成器是一款基于 AI 的智能周报自动化工具,能够从 Git 提交记录、工作描述、工作截图中自动提取信息,生成高质量、业务化的周报文档,并自动发送到飞书。彻底解放双手,让写周报从"痛苦的回忆作业"变成"一句话的事"。 1. 一键生成**:一句"按照skill帮我生成周报",剩下的全部自动完成 2. 零配置使用**:无需手动统计代码、无需对接github/gitlab地址、无需整理提交记录 3. 智能发送**:生成后自动推送到飞书,可设置定时发送,无需手动操作
More by @prayone
Published by @prayone on ClawHub
