gitlab-code-reviewer

This skill appears to implement a legitimate GitLab MR reviewer, but review the following before installing/using it: - Credentials file: The skill reads ~/.openclaw/credentials/gitlab.json (token + host + ignore_patterns). The registry metadata did not list any required config paths — verify you are comfortable storing your GitLab token at that path and that it is the correct token for the MR host. - Token-host mismatch: The CLI's 'check-token' step verifies the token against the host stored in the credentials file, but later API calls use the host parsed from the MR URL. If you store a token for gitlab.com but review an MR on gitlab.example.com (or vice versa), the 'can_write' result may be wrong. Consider updating the credential host to match the MR host or adjust the code. - Token scope: The token may need 'api' scope to post comments (read_api is insufficient). Only grant the minimum scope you need and rotate tokens if shared. - Review included scripts: The bundle contains Python code that makes network requests and reads your home config. Inspect the credential file contents and the scripts locally if you have concerns. The code does not appear to exfiltrate data to unexpected endpoints, but it will send diffs and comment payloads to the GitLab host derived from the MR URL. - Test first: Run in a safe environment with a test token and test MR to confirm behavior (especially token check vs MR host) before pointing it at production repositories or using a high-privilege token. If you can get the publisher to update the registry metadata to declare the required credentials/config path and fix the token-host check, that would increase confidence.