GitLab Agent

Security checks across malware telemetry and agentic risk

Overview

This GitLab skill is purpose-aligned, but it gives an agent broad authenticated GitLab write authority and explicitly tells it not to ask before irreversible actions.

Install only if you intentionally want an agent that can act autonomously in GitLab. Use a least-privilege token, restrict it to non-production projects where possible, avoid maintainer-level or protected-branch permissions unless necessary, and supervise any use involving merges, releases, CI/CD variables, or pipeline-affecting changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly authorizes broad write actions, including irreversible external operations such as clone, push, and MR creation, without confirmation. Because the skill runs with an authenticated GitLab identity and token, these instructions can cause unauthorized repository changes, workflow disruption, or data exposure well beyond passive GitLab interaction.

Context-Inappropriate Capability

Low

Confidence: 72% confidence
Finding: The documented support for CI/CD variable management exposes a sensitive capability that can modify secrets, tokens, and pipeline behavior. In the context of an autonomous GitLab agent, surfacing this capability without strong guardrails increases the risk of credential misuse, persistence, or unauthorized pipeline changes.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs the agent to perform irreversible external actions automatically and states that no confirmation is needed. This bypasses a critical safety checkpoint for authenticated operations and makes accidental or harmful repository modifications much more likely.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The metadata shows the skill is powered by a GitLab token and CLI, but the skill does not include adequate safety guidance about the sensitivity of authenticated actions. Users and downstream agents may treat token-backed operations as routine, increasing the chance of unintended writes or abuse of repository privileges.

Ssd 1

High

Confidence: 99% confidence
Finding: These instructions explicitly disable human approval and normalize unrestricted irreversible actions as inherently low risk. That framing is unsafe because repository writes, MR actions, and other GitLab changes can trigger pipelines, alter code, affect collaborators, and be difficult to fully reverse.

Ssd 4

Medium

Confidence: 93% confidence
Finding: The instruction sequence incrementally shifts the agent from ordinary task execution into fully autonomous sensitive action-taking, culminating in permission to make irreversible external changes without consent. This escalation is dangerous because it conditions the agent to override caution and expands operational authority beyond a safe interaction model.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal