Back to skill

Security audit

GitLab API

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GitLab API helper that can read and change repositories with the user's token, but I found no hidden behavior or unauthorized endpoint use.

Install only if you want an agent to use your GitLab token for repository work. Prefer a dedicated least-privilege token, use read-only scopes unless writes are needed, protect the token file with restrictive permissions, configure only trusted GitLab instances, and manually confirm project, branch, path, content, and commit message before any write or delete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill exposes shell-based operational capability but does not declare permissions or clearly constrain that capability. In an agent setting, undocumented shell access increases the chance the skill is invoked with more power than intended, especially since it performs authenticated API actions against repositories.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description says to use the skill for 'any other GitLab repository operations,' which is overly broad and likely to match many ordinary requests. In an agent environment, broad activation language can cause over-selection of this powerful skill, leading to unintended token use, network access, or repository modifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a file deletion operation with no warning about irreversibility, verification steps, or confirmation requirements. Because this skill is specifically for repository operations, silent destructive guidance is more dangerous: an agent could translate an ambiguous request into permanent repository changes or data loss.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup instructs users to store a personal access token in a local file without discussing file permissions, token minimization, rotation, or the risk of exposing a high-privilege credential. Since the token enables authenticated GitLab API access, compromise of that file could allow repository read, write, or administrative actions depending on scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function can modify repository contents directly via the GitLab API without any built-in confirmation, dry-run mode, or safety interlock. In an agent skill context, that increases the chance of unintended or over-broad writes if an upstream prompt, tool invocation, or parameter is wrong, especially because it targets a remote code repository.

Missing User Warnings

High
Confidence
97% confidence
Finding
This function performs irreversible remote file deletion with no confirmation prompt, no soft-delete mechanism, and no branch protection logic in the script. In a repository automation skill, deletion is more dangerous than writes because a mistaken invocation can remove important source, configuration, or CI files and immediately propagate through version control workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
local encoded_path=$(urlencode "$file_path")
    
    curl -s -X DELETE -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
        -H "Content-Type: application/json" \
        "$API_BASE/projects/$project_id/repository/files/$encoded_path" \
        -d @- <<EOF | jq -r '"Deleted: " + .file_path'
Confidence
88% confidence
Finding
curl -s -X DELETE -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \ -H "Content-Type: application/json" \ "$API_BASE/projects/$project_id/repository/files/$encoded_path" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.