ClawHub

GitLab Code Review

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it needs a GitLab token, local config storage, and an hourly scheduled job to operate.

Install only if you are comfortable giving the skill a GitLab read_api token and allowing it to fetch private commit diffs on a schedule. Use a dedicated least-privilege token with an expiration, verify the GitLab URL before saving it, keep workspace/.env private, and remove the cron job and token when you no longer need automated review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read and write workspace files, access environment-style secrets, and make network requests, but it does not declare any permissions or capability boundaries. This increases the chance that a user or reviewer cannot accurately understand the skill's access scope, leading to over-privileged execution and unsafe handling of sensitive data.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The script walks up to the workspace root and reads a shared .env file, giving this skill access to credentials and configuration beyond its own directory. In a multi-skill or shared-workspace environment, that broad secret scope increases blast radius if the skill is modified, compromised, or repurposed, and it violates least-privilege expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The installation guide instructs users to place a GitLab Personal Access Token in `workspace/.env`, which normalizes local plaintext secret storage and gives only minimal warning. Even though it notes the file is in `.gitignore`, that does not protect against local compromise, backups, logs, accidental sharing, or misconfigured repositories, so the documentation encourages risky credential handling.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger conditions include broad natural-language phrases such as requests to configure monitoring or code review, which can cause the skill to activate in situations the user did not intend. Because the skill can read existing configuration, create cron jobs, and send messages, an accidental trigger could lead to unintended persistence and access to sensitive repositories or tokens.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells the agent to read and reuse existing GitLab-related configuration from workspace/.env without first clearly notifying the user that sensitive credentials may be accessed. Reusing stored secrets silently is risky because the agent may expose, misuse, or act on credentials the current user did not expect it to touch.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs storing a GitLab Personal Access Token directly in workspace/.env but does not warn about plaintext secret storage risks or access controls. Plaintext tokens in shared or insufficiently protected workspaces can be read by other skills, users, backups, or logs, enabling unauthorized GitLab API access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal