glab
v1.0.4Manage GitLab projects from the command line: create, review, merge MRs; manage issues; monitor and trigger CI/CD; support self-hosted instances and automation.
⭐ 0· 404·2 current·2 all-time
by@bezkom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and included scripts clearly require the glab CLI, jq, and a GITLAB_TOKEN, and they document install via Homebrew/apt. However the registry-level requirements reported earlier list no required binaries and no required env vars — that mismatch is an incoherence: the skill legitimately needs glab/jq and a GitLab token, but the registry metadata does not declare them.
Instruction Scope
The runtime instructions and scripts stay within the stated purpose (creating/listing MRs, watching pipelines, and calling the GitLab API). The README explicitly warns that `glab api` allows arbitrary API calls and recommends minimal token scopes. The scripts call only glab and jq and do not read other system files or reach out to endpoints beyond the target GitLab instance.
Install Mechanism
No remote downloads or custom installers are present; SKILL.md suggests installing glab and jq via brew/apt (standard package managers). The registry manifest earlier claimed 'no install spec', while the skill's own metadata lists package manager install options — this inconsistency should be reconciled but the install sources themselves are low-risk (official package managers).
Credentials
The skill requires a GITLAB_TOKEN (and optionally GITLAB_HOST/TIMEOUT/INTERVAL) which is appropriate for a GitLab CLI. However the registry metadata listing no required env vars is inconsistent with SKILL.md. Also `glab api` enables unrestricted API calls: a token with overly broad scopes (api or sudo) would allow destructive or exfiltrative actions, so using minimal-scoped/project-level tokens is necessary.
Persistence & Privilege
The skill does not request always:true, does not claim to persist or modify other skills, and contains only shell scripts and documentation. It does not request elevated or system-wide privileges beyond running glab/jq commands in the user's environment.
What to consider before installing
This skill appears to be a legitimate glab (GitLab CLI) helper and the scripts are straightforward, but note two things: (1) the registry metadata does not declare the required binaries (glab, jq) or the required GITLAB_TOKEN though SKILL.md and the scripts do — treat that as a red flag in the packaging and confirm requirements before installing; (2) `glab api` can perform arbitrary API operations with your token, so only provide a token with the minimal scopes needed (prefer project-level tokens and read_api for read-only tasks). Before installing/run: inspect the two scripts locally, ensure you have glab and jq from trusted package sources (brew/apt), and never supply tokens with admin/sudo scope unless absolutely necessary. If you want to raise confidence to 'benign', ask the publisher to fix the registry metadata to list required binaries and env vars (GITLAB_TOKEN) and to confirm the install spec.Like a lobster shell, security has layers — review code before you run it.
latestvk97a81qdv4pqnv98p4jrm7x50s821bk3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.