ClawHub

GitLab Agent

Security checks across malware telemetry and agentic risk

Overview

This GitLab skill is coherent but gives the agent broad permission to modify repositories and GitLab state without asking the user first.

Install only if you intend to give the agent autonomous GitLab write access. Use a least-privilege GitLab token, limit it to specific projects where possible, and supervise any task that could push code, create or merge MRs, change CI variables, add reviewers, comment publicly, or alter issue and time-tracking state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill uses broad activation and execution language like repeating a routine and deciding next steps autonomously, without defining clear task boundaries or requiring user-scoped objectives. In a skill with authenticated GitLab access and write capabilities, this can cause the agent to act on loosely related issues or repositories beyond the user's intended scope.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly authorizes write actions and irreversible external actions such as clone, push, and merge-request creation without warning, approval, or contextual risk checks. Because the agent operates with a GitLab token, these instructions can directly modify remote state, trigger CI, create branches/MRs, and leave persistent changes across repositories.

Ssd 4

High
Confidence
99% confidence
Finding
These instructions systematically eliminate approval checkpoints by saying confirmation is unnecessary and all write actions are low risk or reversible, which is false for many GitLab actions. This creates a strong prompt-level bypass of human oversight and can lead to unauthorized code changes, workflow manipulation, or irreversible external effects.

Ssd 4

Medium
Confidence
91% confidence
Finding
Telling the agent to do work 'without asking' reinforces autonomous decision-making in a high-privilege GitLab context. While less severe than explicit irreversible-action authorization, it still pushes the agent to take unilateral action where clarification or approval is necessary to avoid unintended repository changes.

Ssd 4

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent not to ask the owner or reviewer and to proceed on its own, which suppresses normal governance and review controls in merge-request workflows. In context, this is especially dangerous because the same skill also directs the agent to fix pipelines, comment, assign reviewers, and otherwise modify project state using authenticated access.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal