ClawHub

Gitlab Mr Review Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GitLab MR review automation, but it can read repository diffs and email AI-generated reports using stored credentials without clear final user confirmation.

Review before installing. Use a dedicated least-privilege GitLab token, avoid broad api scope if possible, verify every configured repository and MR, inspect report contents for sensitive code or secrets, and require manual approval before any email is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README instructs users to invoke the skill with a very broad natural-language phrase ('帮我审核 GitLab 仓库的 MR'), which can plausibly overlap with ordinary requests and cause unintended activation. In an agentic workflow that performs external actions like fetching MR data, generating reports, and emailing contributors, accidental triggering can lead to unwanted processing and data disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that the pipeline will email review reports to MR submitters and shows collection/use of submitter email addresses, but it does not prominently warn about privacy, consent, or the operational risk of sending externally generated AI review content. In this context, the skill handles code, identities, and outbound communication, so missing notice and safeguards increases the chance of unapproved disclosure or misuse of personal/work email data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation phrase is broad enough to match ordinary user requests about reviewing GitLab MRs, which can trigger the skill unexpectedly. In this skill, accidental activation is more dangerous because it can access local credentials, call external APIs, generate reports, and send emails.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends review results and MR-related content by email without a clear warning or confirmation immediately before transmission. Because diffs and AI-generated findings may contain proprietary code, secrets, or sensitive internal details, emailing them can create a significant data exfiltration path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script collects a GitLab access token and email authorization code, then persists them in plaintext JSON under the user's home directory. Although it sets file mode 600 after writing, there is no explicit warning, no encryption, and no secure input handling, so secrets may be exposed through local compromise, backups, misconfigured home directory permissions, or the brief window before chmod is applied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal