gitlab
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill explicitly instructs the agent to embed the sensitive
GITLAB_TOKENinto the git remote URL using the commandgit remote set-url origin https://oauth2:${GITLAB_TOKEN}@gitlab.com/username/repo.git. This practice is highly insecure as it stores the secret in plain text within the repository's.git/configfile and can lead to token exposure in shell history, process listings, and CI/CD logs. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from GitLab repositories.
- Ingestion points: Data enters the agent context through GitLab repository content, merge request titles, and descriptions during
gitandcurloperations. - Boundary markers: Absent. The instructions do not provide delimiters or warnings for the agent to ignore instructions embedded in the code or metadata it retrieves.
- Capability inventory: The skill utilizes shell commands (
git,curl) and acreate_mrtool, providing a wide surface for malicious instructions to trigger actions. - Sanitization: Absent. There is no evidence of sanitization or validation of data fetched from the external GitLab API before it is processed by the agent.
- COMMAND_EXECUTION (LOW): The skill relies on bash command execution to perform its core functions. While this is the intended purpose, it provides the necessary primitives for an attacker to execute arbitrary code if they can successfully perform an indirect prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata