The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from external sources (GitLab issues, merge requests, wikis, and repository files).
Ingestion points: SKILL.md references tools and commands that read content from glab issue, glab mr, glab api .../repository/files/, and glab api .../wikis.
Boundary markers: There are no instructions or delimiters defined to prevent the agent from following malicious instructions embedded within the retrieved GitLab content.
Capability inventory: The skill allows the use of the Bash tool to execute glab CLI commands, which can perform destructive actions like deleting repositories, merging code, or triggering CI pipelines.
Sanitization: No sanitization or validation of the external content is performed before processing.
Credentials Unsafe (LOW): The skill specifically includes a sub-skill (gitlab-variable) for managing CI/CD variables and secrets.
Evidence: SKILL.md explicitly lists glab variable set and glab variable list as key commands and identifies them as 'high risk' (⚠️⚠️) because they contain secrets. While this is a primary function of the skill, it presents a risk of credential exposure if an attacker can trick the agent into revealing these variables.
Command Execution (LOW): The skill relies on the execution of shell commands via the Bash tool and the glab CLI.
Evidence: SKILL.md lists numerous CLI commands such as glab repo clone, glab ci run, and glab mr merge. These are intended behaviors but could be abused if the agent is compromised via indirect prompt injection.

gitlab-assistant