gitlab
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection due to its core functionality.
- Ingestion points: The agent reads untrusted external data via
glab issue view,glab mr view,glab mr diff, andglab ci trace(CI logs). - Boundary markers: There are no instructions or delimiters provided to help the agent distinguish between its own system instructions and the untrusted data being read.
- Capability inventory: The agent has high-privilege capabilities including
glab mr approve,glab mr merge,glab ci run, and arbitraryglab apiwrites (POST/PUT). - Sanitization: No sanitization or filtering of the fetched GitLab content is performed before the agent processes it.
- Command Execution (LOW): The skill relies entirely on executing shell commands via the
glabCLI. While these are legitimate tools, the agent's ability to construct and run these commands based on untrusted input increases the attack surface. - Data Exposure (LOW): The skill documents the location of sensitive credentials in
~/.config/glab-cli/config.yml. While necessary for the tool, this highlights the high-value target for any successful exploit. - Privilege Escalation (MEDIUM): The documentation suggests the use of
sudo apt install glab, which requires administrative privileges. This is a standard installation procedure but remains a sensitive operation.
Recommendations
- AI detected serious security threats
Audit Metadata