GitLab API

v0.1.0

GitLab API integration for repository operations. Use when working with GitLab repositories for reading, writing, creating, or deleting files, listing projects, managing branches, or any other GitLab repository operations.

⭐ 1· 2k·5 current·5 all-time

by@d1gl3

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name, description, SKILL.md, and the included script all align on GitLab repository operations (read/write/delete files, list projects/branches). However the registry metadata claims no primary credential and no required binaries even though the skill expects a GitLab personal access token and uses curl/jq/base64. The missing declarations are an inconsistency (likely oversight) but not evidence of malicious intent.

✓

Instruction Scope

The SKILL.md and scripts confine themselves to interacting with GitLab APIs and local config under ~/.config/gitlab. They do not instruct reading unrelated system files or exfiltrating data to unexpected endpoints; all network calls target the configured GitLab instance. Examples and helper script consistently use the token and instance URL stored under ~/.config/gitlab or via GITLAB_TOKEN/GITLAB_URL env vars.

✓

Install Mechanism

This is an instruction-only skill with no install spec. Nothing is downloaded or written by an installer. The helper script is included in the package; no installation mechanism risk was found.

Credentials

The skill requires a GitLab personal access token (and optionally GITLAB_URL/GITLAB_TOKEN env vars), but the registry metadata lists no required env vars or primary credential. The script also implicitly requires external binaries (curl, jq, base64) which are not declared. Requiring an API token is reasonable for the stated purpose, but the omission in metadata reduces transparency and could lead to accidental misconfiguration or credential exposure. Users should note the token is stored in plaintext at ~/.config/gitlab/api_token by the recommended steps.

✓

Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide agent settings. It reads a local config file and may be run by the agent, which is normal for a connector of this type.

What to consider before installing

This skill implements a straightforward GitLab API helper, but before installing you should: 1) Verify you are comfortable giving it a GitLab personal access token — create a token with the minimum scopes needed (prefer read_api or limited repo write scopes rather than full 'api' if possible). 2) Note the SKILL.md recommends storing the token in plaintext at ~/.config/gitlab/api_token; consider using an environment variable or a secrets manager instead to reduce exposure. 3) Ensure the host running the skill has curl, jq and base64 available (the registry metadata did not declare these dependencies). 4) Review and test the included scripts in a safe environment (especially write-file and delete-file commands) before allowing autonomous agent use. 5) If you expect strict provenance, ask the publisher to correct the metadata to declare the required credential and runtime binaries so the permission surface is clear.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a010jesdmemq8dz94my9nth80gn9c

2kdownloads

1stars

1versions

Updated 1mo ago

v0.1.0

MIT-0

GitLab API

Interact with GitLab repositories via the REST API. Supports both GitLab.com and self-hosted instances.

Setup

Store your GitLab personal access token:

mkdir -p ~/.config/gitlab
echo "glpat-YOUR_TOKEN_HERE" > ~/.config/gitlab/api_token

Token scopes needed: api or read_api + write_repository

Get a token:

GitLab.com: https://gitlab.com/-/user_settings/personal_access_tokens
Self-hosted: https://YOUR_GITLAB/~/-/user_settings/personal_access_tokens

Configuration

Default instance: https://gitlab.com

For self-hosted GitLab, create a config file:

echo "https://gitlab.example.com" > ~/.config/gitlab/instance_url

Common Operations

List Projects

GITLAB_TOKEN=$(cat ~/.config/gitlab/api_token)
GITLAB_URL=$(cat ~/.config/gitlab/instance_url 2>/dev/null || echo "https://gitlab.com")

curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects?owned=true&per_page=20"

Get Project ID

Projects are identified by ID or URL-encoded path (namespace%2Fproject).

# By path
curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects/username%2Frepo"

# Extract ID from response: jq '.id'

Read File

PROJECT_ID="12345"
FILE_PATH="src/main.py"
BRANCH="main"

curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/files/${FILE_PATH}?ref=$BRANCH" \
  | jq -r '.content' | base64 -d

Create/Update File

PROJECT_ID="12345"
FILE_PATH="src/new_file.py"
BRANCH="main"
CONTENT=$(echo "print('hello')" | base64)

curl -X POST -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  -H "Content-Type: application/json" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/files/${FILE_PATH}" \
  -d @- <<EOF
{
  "branch": "$BRANCH",
  "content": "$CONTENT",
  "commit_message": "Add new file",
  "encoding": "base64"
}
EOF

For updates, use -X PUT instead of -X POST.

Delete File

curl -X DELETE -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  -H "Content-Type: application/json" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/files/${FILE_PATH}" \
  -d '{"branch": "main", "commit_message": "Delete file"}'

List Files in Directory

curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/tree?path=src&ref=main"

Get Repository Content (Archive)

curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/archive.tar.gz" \
  -o repo.tar.gz

List Branches

curl -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/branches"

Create Branch

curl -X POST -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  -H "Content-Type: application/json" \
  "$GITLAB_URL/api/v4/projects/$PROJECT_ID/repository/branches" \
  -d '{"branch": "feature-xyz", "ref": "main"}'

Helper Script

Use scripts/gitlab_api.sh for common operations:

# List projects
./scripts/gitlab_api.sh list-projects

# Read file
./scripts/gitlab_api.sh read-file <project-id> <file-path> [branch]

# Write file
./scripts/gitlab_api.sh write-file <project-id> <file-path> <content> <commit-msg> [branch]

# Delete file
./scripts/gitlab_api.sh delete-file <project-id> <file-path> <commit-msg> [branch]

# List directory
./scripts/gitlab_api.sh list-dir <project-id> <dir-path> [branch]

Rate Limits

GitLab.com: 300 requests/minute (authenticated)
Self-hosted: Configurable by admin

API Reference

Full API docs: https://docs.gitlab.com/ee/api/api_resources.html

Key endpoints:

Projects: /api/v4/projects
Repository files: /api/v4/projects/:id/repository/files
Repository tree: /api/v4/projects/:id/repository/tree
Branches: /api/v4/projects/:id/repository/branches

Comments

Loading comments...