Skills
skills/e-marchand/skills/4d-publish-gitlab/Gen Agent Trust Hub

4d-publish-gitlab

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The Python script scripts/publish.py utilizes subprocess.run(shell=True) to execute system commands where arguments like --hostname, --group, and --description are directly interpolated into command strings. This pattern is susceptible to command injection.
  • In setup_gitlab_repo, variables derived from CLI flags are embedded into glab repo create and glab auth login commands. While the code attempts to escape double quotes for the description, this does not prevent injection via other shell metacharacters such as backticks, semicolons, or $() subshells.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the glab CLI tool via Homebrew on macOS. This download originates from a well-known and trusted package management service.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 03:25 AM