中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:19 hr ago Rescan
5 /100
GitLab Daily Report Skill
AI assistant for GitLab project data analysis and Feishu report generation
GitLab Daily Report skill is a legitimate reporting tool that fetches GitLab data and sends formatted reports to Feishu. No malicious behavior detected.
Skill NameGitLab Daily Report Skill
Duration30.3s
Enginepi
Safe to install
This skill is safe to use. Standard security hygiene: ensure config.json is protected, use minimal-privilege GitLab tokens, and restrict Feishu webhook access.

Findings 1 items

Severity Finding Location
Low
SSL certificate verification disabled Sensitive Access
Script disables SSL verification (ssl.CERT_NONE) to support self-signed GitLab certificates. This is documented and necessary for internal GitLab instances with self-signed certs.
_SSL_CTX.verify_mode = ssl.CERT_NONE
→ Consider adding config option to enable SSL verification for production environments with valid certificates.
 scripts/gitlab_report.py:19
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares config.json reading
Network WRITE WRITE ✓ Aligned GitLab API reads and Feishu webhook writes are documented
Shell READ READ ✓ Aligned Runs python scripts for data fetching
Environment NONE READ ✓ Aligned Reads gitlab_token from config.json, not os.environ
3 findings
🔗
Medium External URL 外部 URL
https://gitlab.yourcompany.com
references/README.md:29
🔗
Medium External URL 外部 URL
https://your-server.com/webhook
references/README.md:114
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/bot/v2/hook/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
scripts/config.example.json:11

File Tree

5 files · 41.3 KB · 1116 lines
Python 2f · 729L Markdown 2f · 372L JSON 1f · 15L
├─ 📁 references
│ └─ 📝 README.md Markdown 188L · 5.4 KB
├─ 📁 scripts
│ ├─ 📋 config.example.json JSON 15L · 327 B
│ ├─ 🐍 example.py Python 19L · 616 B
│ └─ 🐍 gitlab_report.py Python 710L · 28.3 KB
└─ 📝 SKILL.md Markdown 184L · 6.6 KB

Security Positives

✓ No credential harvesting beyond GitLab API token required for functionality
✓ No data exfiltration - only sends report data to configured Feishu webhook
✓ No obfuscation or base64-encoded payloads detected
✓ No suspicious network connections to unknown IPs
✓ Documentation accurately describes all functionality
✓ Uses only Python standard library (no external dependencies with vulnerabilities)
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reading)
✓ Proper two-step confirmation flow prevents accidental data push
✓ ThreadPoolExecutor used for legitimate concurrent API requests