gitlab

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains multiple examples that embed secret values verbatim (e.g., API tokens in Python/MCP config and explicit variable creation like "secret123"/"secret-value"), which would require the agent/LLM to handle or output secrets directly, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly ingests user-generated content from GitLab (see SKILL.md's MCP Tools like gitlab_get_merge_request, gitlab_get_file_content, gitlab_get_job_log and the API/cURL examples against https://gitlab.com), which the agent is expected to read and which could directly influence actions such as approvals, merges, or pipeline triggers.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The .codebuddy/mcp.json config runs "npx -y @modelcontextprotocol/server-gitlab" at runtime, which fetches and executes remote code from the npm registry (e.g. https://registry.npmjs.org/@modelcontextprotocol/server-gitlab), and the skill relies on that server for its MCP tools.