Gitlab Manager
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward GitLab API helper, but it uses a GitLab token that can make real repository changes, so it should be used with a scoped token and deliberate approval for write actions.
Install this only if you want the agent to perform GitLab API tasks. Use a dedicated, least-privilege GitLab token, avoid using an admin or personal all-purpose token, and explicitly review actions that create repositories, issues, or merge request comments.
VirusTotal
49/49 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token has broad permissions, the agent could create or modify GitLab resources accessible to that token when the skill is invoked.
A GitLab personal access token with `api` scope can grant broad read/write authority over resources available to that account. This is purpose-aligned for GitLab management, but it is a sensitive credential.
- **GITLAB_TOKEN**: A Personal Access Token with `api` scope must be set in the environment.
Use a dedicated GitLab token with the minimum practical permissions, preferably limited to the relevant project or group, and revoke or rotate it when no longer needed.
An accidental or overly broad invocation could create unwanted repositories, issues, or comments.
The documented commands include write operations that create projects, post merge request comments, and open issues. These actions match the skill purpose but can affect shared or public GitLab spaces.
./scripts/gitlab_api.js create_repo ...; ./scripts/gitlab_api.js comment_mr ...; ./scripts/gitlab_api.js create_issue ...
Review and approve write actions before running them, especially on shared, public, or production GitLab projects.
Users may not notice from registry metadata alone that this skill needs a sensitive GitLab token.
The registry metadata does not declare the GITLAB_TOKEN credential requirement that is documented in SKILL.md and enforced by the script.
Required env vars: none; Primary credential: none
Update the skill metadata to declare GITLAB_TOKEN as a required credential/environment variable and document the recommended minimum permissions.