ClawHub

gitlab-skill

Security checks across malware telemetry and agentic risk

Overview

This GitLab skill does what it claims, but it handles GitLab tokens in ways that could expose them during normal use.

Review before installing. Use a dedicated least-privilege GitLab token, prefer environment variables or a manually chmod 600 config file, avoid the private HTTPS clone helper until token-in-URL handling is fixed, and do not use this on untrusted networks unless TLS verification is corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code creates an unverified SSL context unconditionally in `__init__`, and `_make_request` always uses that context even when `insecure=False`. This silently disables certificate verification for all HTTPS API traffic, enabling man-in-the-middle interception or tampering of GitLab API requests and authentication tokens.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The skill description is broad enough to match many generic GitLab-related prompts, which can cause over-invocation of a high-privilege skill. In practice, that increases the chance that credentials, shell commands, or repository-modifying actions are used in situations where a narrower skill or explicit confirmation should have been required.

Vague Triggers

Low
Confidence
79% confidence
Finding
Repeated trigger phrasing like 'When the user wants...' creates permissive activation logic without precise guardrails. In a skill that can create projects, modify issues/MRs, and use tokens, ambiguous activation increases the risk of unintended privileged operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template creator writes ~/.claude/gitlab_config.json with mode 0644, making it potentially readable by other local users before the user replaces the placeholder with a real token. In a credential-loading skill, this is relevant because the same file path is later used for live secrets, so users may follow the prompt and temporarily or permanently leave sensitive credentials in a world-readable file.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The request explicitly disables TLS certificate verification via ssl._create_unverified_context(), which allows a man-in-the-middle attacker to intercept or tamper with traffic to the GitLab server. Because the request includes a PRIVATE-TOKEN header, this can expose authentication credentials and repository metadata, especially on untrusted or corporate networks with weak segmentation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal