ClawHub
Back to skill
v1.0.0

Gitlab Ci Optimizer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:43 AM.

Analysis

This is a coherent instruction-only GitLab CI review skill; it may read and search local CI configuration files, but the artifacts show no code execution beyond purpose-aligned shell examples, credentials, persistence, or account mutation.

GuidanceThis skill appears safe to install as an instruction-only helper for GitLab CI review. Use it in the intended repository, watch for CI files that contain sensitive variables or secrets, and ask the agent to present optimization recommendations for review before modifying pipeline files.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Read the `.gitlab-ci.yml` and any included files ... `cat .gitlab-ci.yml` ... `find . -name "*.gitlab-ci.yml"` ... `grep -E "variables:" .gitlab-ci.yml`

The skill instructs the agent to use local shell commands to read and search CI configuration files, including variable definitions. This is expected for a CI optimizer, but it can bring private repository configuration into the agent context.

User impactIf run in the wrong directory or against CI files containing secrets, the agent may inspect more local project data than intended.
RecommendationUse the skill from the intended repository root, keep secrets out of committed CI files, and review any proposed changes before applying them.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The skill has limited provenance information, although the lack of code files, dependencies, and install steps substantially reduces executable supply-chain exposure.

User impactIt may be harder to verify who authored the guidance, but there is no artifact-backed evidence of hidden code or dependency execution.
RecommendationReview the SKILL.md content before relying on it for production CI changes, especially because the source and homepage are not provided.