ClawHub

Gitlab Manager

v1.0.0

Manage GitLab repositories, merge requests, and issues via API. Use for tasks like creating repos, reviewing code in MRs, or tracking issues.

5· 3.1k·12 current·12 all-time
by@jorgermp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description, SKILL.md, and the included script consistently implement GitLab API operations (create repo, list/comment MRs, create issues) calling https://gitlab.com/api/v4. However the registry metadata claims no required environment variables or primary credential while both SKILL.md and the script require GITLAB_TOKEN. That metadata omission is disproportionate and reduces transparency about needed credentials.
Instruction Scope
SKILL.md limits runtime actions to running the provided Node script to talk to the GitLab API. The instructions do not ask the agent to read unrelated files or send data to endpoints other than GitLab. The runtime behavior is scoped to repository/MR/issue operations.
Install Mechanism
There is no install spec (instruction-only) and the package only includes a short Node script. Nothing is downloaded or extracted from external/untrusted URLs.
!
Credentials
Requiring a GITLAB_TOKEN (PAT with 'api' scope) is appropriate for the declared functionality, but the registry metadata does not list this required env var or a primary credential. That mismatch is problematic because the platform may not prompt you to provide a token or treat it as a secret. Also, giving a PAT to an installed skill grants it direct API access to your projects — you should ensure the token is least-privilege, short-lived, and issued only if you trust the skill.
Persistence & Privilege
always is false and there are no config paths or system-wide changes requested. The skill can be invoked autonomously (platform default) — normal for skills, but note that autonomous invocation plus a supplied PAT allows the skill to act on your GitLab resources without further prompts.
What to consider before installing
Before installing: (1) Ask the publisher/registry to update the metadata to declare GITLAB_TOKEN as a required credential so the platform can treat it as a secret. (2) Inspect the included script (it's short) and confirm it only talks to https://gitlab.com/api/v4 (no hidden endpoints). (3) If you proceed, create a dedicated GitLab Personal Access Token with the minimum scopes and expiration needed (avoid broad scopes), and store it in the platform's secret store rather than passing it on the command line. (4) Consider running the script locally or in an isolated environment first. (5) If you cannot verify the origin/trustworthiness of the skill (source is unknown), prefer not to grant a PAT to it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97226ff5y0wxc64xhpk76txm180az1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments