ClawHub

GitLab API Client

Security checks across malware telemetry and agentic risk

Overview

This is a coherent GitLab management skill, but it gives an agent broad write, delete, merge, and webhook authority without clear confirmation safeguards.

Install only if you want an agent to act in GitLab with the permissions of the token you provide. Prefer a read-only or narrowly scoped token when possible, do not put tokens in URLs, keep .env out of version control, and require explicit confirmation of exact project IDs, branches, files, issues, merge requests, and webhook URLs before any write, delete, merge, approve, retry, cancel, or webhook action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares only an allowed tool but does not clearly declare the sensitive capabilities it relies on, namely environment-file access and outbound network access through the GitLab client. This can weaken policy enforcement and user understanding, especially because the skill is designed to operate with a personal access token and perform privileged API actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly recommends sending `private_token` in the URL query string, which can expose credentials through browser history, proxy/server logs, referrer headers, monitoring tools, and copied links. In the context of an API skill that handles GitLab administration and repository operations, leaking a token could enable unauthorized read or write actions depending on the token scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The command reference includes destructive actions such as project deletion, branch deletion, issue deletion, and merge operations without explicit confirmation or risk warnings. In an agent setting, omission of safety cues increases the chance of accidental high-impact changes to source control and project state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Repository file create, update, and delete commands can directly alter code and configuration, yet the documentation provides no warning about integrity impact, branch safety, or review expectations. In practice, these actions could introduce malicious changes, break builds, or overwrite critical files if an agent acts on ambiguous instructions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Webhook creation accepts a destination URL and optional token but does not warn about data exfiltration, SSRF-like risks against internal endpoints, or exposure of event payloads. In a GitLab-integrated environment, an agent could be induced to register hostile webhooks that leak repository metadata or trigger downstream systems.

Session Persistence

Medium
Category
Rogue Agent
Content
- **NEVER** read, cat, print, grep, or expose the `GITLAB_TOKEN` value.
- **NEVER** use `curl`, `wget`, or any tool to call GitLab API directly. All access MUST go through `gitlab-client`.
- AI may read/write `.env` to manage `GITLAB_URL`, but **GITLAB_TOKEN must be set by the user manually**.

## Setup
Confidence
81% confidence
Finding
write `.env` to manage `GITLAB_URL`, but **GITLAB_TOKEN must be set by the user manually**. ## Setup Requires `./.env` with: ``` GITLAB_URL=https://gitlab.fullnine.com.cn GITLAB_TOKEN=<your-persona

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal