glab

Security checks across malware telemetry and agentic risk

Overview

This GitLab CLI skill is transparent and purpose-aligned, but users should avoid a troubleshooting step that prints their GitLab token.

Install only if you need GitLab CLI automation. Use the least-privileged GitLab token that fits your task, review write or delete operations before running them, be careful with glab api because it can use your token broadly, and do not print or share your full GITLAB_TOKEN in terminals, logs, screenshots, or support requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The guide tells users to run `echo $GITLAB_TOKEN`, which prints a sensitive access token directly to the terminal and potentially into shell history, terminal scrollback, screen recordings, or shared sessions. In a troubleshooting document this is unnecessary exposure of a secret and increases the chance of accidental credential disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal