📦 Agent Bug Submission — 缺陷提报
v1.0.0一键把缺陷信息提交至TeamCycle平台,实现缺陷全生命周期管理,并同步飞书多维表格与文档,方便记录与查询。
0· 45·0 当前·0 累计
by 下载技能包
最后更新
2026/4/13
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to perform the advertised task but has several red flags you should address before installing or using it:
- Verify the 'bug-reporter' dependency: the SKILL.md points to a hard-coded local path (C:\Users\zhanju.zhang\...). Confirm that the referenced code exists on your system, inspect its source, and ensure it is trustworthy before allowing the agent to execute it.
- Do not pass passwords on the command line: the example shows a plaintext password argument. That exposes cred...详细分析 ▾
ℹ 用途与能力
The skill's name/description say it submits bugs to TeamCycle and writes to Feishu, which matches the instructions. However the SKILL.md depends on a local 'bug-reporter' component at a specific Windows path under a user's home (C:\Users\zhanju.zhang\.openclaw\workspace\skills\bug-reporter). Requiring a user-specific local path is unusual for a generic skill and is not explained; it reduces portability and may indicate the skill was authored for a single developer environment.
⚠ 指令范围
Instructions tell the agent to invoke a local script (python scripts/bug_reporter.py) and pass credentials directly on the command line (example includes a password parameter). It permits exec/read/write and Feishu tool actions. The document references TeamCycle API endpoints and specific Feishu doc/table IDs. The SKILL.md does not say where TeamCycle/Feishu credentials come from, nor constrain where local records are written — this gives the agent broad discretion to run commands and access files beyond what's explicitly justified.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files beyond a package.json and SKILL.md; that's low install risk. Nothing is downloaded or written to disk by an installer as part of the skill itself.
⚠ 凭证需求
The skill clearly requires sensitive credentials (TeamCycle username/password and Feishu API/auth tokens) to operate, but requires.env is empty and no primary credential is declared. The example demonstrates passing a plaintext password as a command-line argument (which exposes it to process listings and logs). Feishu actions are listed in allowed-tools but no Feishu credentials or token handling are described. This mismatch between needed secrets and declared requirements is disproportionate and risky.
ℹ 持久化与权限
always:false (normal). The skill requests potentially powerful tools (exec, read, write) and Feishu actions, which allow filesystem and network activity; that is expected for an integration skill but increases blast radius if misused. The dependency on a local bug-reporter skill path implies access to other skill code/config on disk; the SKILL.md does not clarify whether credentials or tokens are stored locally or how records are persisted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/13
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install agent-bug-submission
镜像加速npx clawhub@latest install agent-bug-submission --registry https://cn.longxiaskill.com