Gitlab Cli Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a GitLab CLI reference skill whose write-capable examples are expected for its stated purpose, but users should control when authenticated GitLab changes are made.

Install only if you want your agent to help operate GitLab through glab. Use least-privilege GitLab tokens or bot accounts, verify the target host/project/user before any write, and require explicit confirmation for merges, deletes, token changes, runner changes, or direct API POST/PATCH/PUT/DELETE calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The skill documents destructive and state-changing operations across GitLab resources, and warnings are inconsistent. In an agent setting, this can normalize unsafe execution of delete/update/merge/revoke actions without an explicit confirmation or dry-run step, increasing the chance of unintended repository or CI/CD changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal