ClawHub

GitLab Agent Self Improvement

Security checks across malware telemetry and agentic risk

Overview

This skill is small and not malware, but it can create and close GitLab merge requests under a vague self-improvement description.

Install only if you intend to let the agent act in the named GitLab project using your GitLab token. Review every proposed MR creation or closure first, especially closure of existing merge requests, because the skill does not itself require explicit confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as personal self-improvement, but its actual behavior is to operate on a GitLab project by creating, assigning, and closing merge requests. This mismatch can cause unintended activation and grants repository workflow influence under an innocuous label, increasing the chance of unauthorized or unexpected code-management actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Creating, assigning, and closing GitLab merge requests is materially more powerful than what a user would expect from a self-improvement skill. That unjustified capability expansion can be abused to modify project workflow, create noise, or suppress pending work in a repository without clear user consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill uses vague self-improvement language without clear boundaries on when it should run or what systems it may affect. Broad wording makes overbroad activation more likely and, in this case, can lead the agent into repository-changing actions that the user did not specifically request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to write findings in a new merge request and assign it to the agent initiates an external, state-changing repository action without any user-facing warning or confirmation step. This can produce unsolicited changes, spam project workflows, and normalize autonomous code-management behavior under a benign-sounding skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
Closing an older merge request is a destructive workflow action because it can halt review, remove visibility from pending work, and interfere with collaborators' expectations. Doing so automatically and without a warning or approval step makes the skill especially dangerous in shared repositories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal