Back to skill

Security audit

GitLab MR Code Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent GitLab review bot, but it can run unattended and post comments across all merge requests visible to the configured GitLab token.

Install only with a dedicated low-privilege GitLab bot token limited to intended projects. Review or change the cron prompt before enabling it, especially the all-visible-MRs behavior, source-branch custom prompt loading, and automatic posting. Keep `.env` out of source control, restrict file permissions, monitor generated GitLab comments, and disable the cron job when not actively needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation tells users to place a long-lived GitLab access token in a local `.env` file but does not warn that this file must be protected from accidental disclosure, logging, backups, or source control commits. In a polling automation skill with API write access, token compromise could let an attacker read repository data and post comments or notes across accessible GitLab projects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cron setup embeds instructions for a scheduled agent to automatically fetch merge requests, post comments/notes to GitLab, and modify a local review-tracking file without any explicit warning to the operator that enabling this workflow causes autonomous external actions and persistent state changes. Because it runs every two minutes and is instructed to execute directly without permission, a user may enable it expecting passive review assistance but instead grant unattended write access to GitLab and the filesystem, increasing the risk of unintended comments, spam, or state corruption if the review logic misbehaves.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/gitlab-api.js:29