ClawHub

GitLab API

v0.1.0

GitLab API integration for repository operations. Use when working with GitLab repositories for reading, writing, creating, or deleting files, listing projects, managing branches, or any other GitLab repository operations.

1· 2k·5 current·5 all-time
by@d1gl3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included script all align on GitLab repository operations (read/write/delete files, list projects/branches). However the registry metadata claims no primary credential and no required binaries even though the skill expects a GitLab personal access token and uses curl/jq/base64. The missing declarations are an inconsistency (likely oversight) but not evidence of malicious intent.
Instruction Scope
The SKILL.md and scripts confine themselves to interacting with GitLab APIs and local config under ~/.config/gitlab. They do not instruct reading unrelated system files or exfiltrating data to unexpected endpoints; all network calls target the configured GitLab instance. Examples and helper script consistently use the token and instance URL stored under ~/.config/gitlab or via GITLAB_TOKEN/GITLAB_URL env vars.
Install Mechanism
This is an instruction-only skill with no install spec. Nothing is downloaded or written by an installer. The helper script is included in the package; no installation mechanism risk was found.
!
Credentials
The skill requires a GitLab personal access token (and optionally GITLAB_URL/GITLAB_TOKEN env vars), but the registry metadata lists no required env vars or primary credential. The script also implicitly requires external binaries (curl, jq, base64) which are not declared. Requiring an API token is reasonable for the stated purpose, but the omission in metadata reduces transparency and could lead to accidental misconfiguration or credential exposure. Users should note the token is stored in plaintext at ~/.config/gitlab/api_token by the recommended steps.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It reads a local config file and may be run by the agent, which is normal for a connector of this type.
What to consider before installing
This skill implements a straightforward GitLab API helper, but before installing you should: 1) Verify you are comfortable giving it a GitLab personal access token — create a token with the minimum scopes needed (prefer read_api or limited repo write scopes rather than full 'api' if possible). 2) Note the SKILL.md recommends storing the token in plaintext at ~/.config/gitlab/api_token; consider using an environment variable or a secrets manager instead to reduce exposure. 3) Ensure the host running the skill has curl, jq and base64 available (the registry metadata did not declare these dependencies). 4) Review and test the included scripts in a safe environment (especially write-file and delete-file commands) before allowing autonomous agent use. 5) If you expect strict provenance, ask the publisher to correct the metadata to declare the required credential and runtime binaries so the permission surface is clear.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a010jesdmemq8dz94my9nth80gn9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments