gitlab-copilot
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates user-provided or externally-fetched data (such as repo references, MR IDs, and generated comments) directly into
bashcommands using theglabCLI. If these variables contain shell metacharacters like;,&, or$(), it could lead to arbitrary command execution in the local environment. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests and processes untrusted data from an external source (GitLab).
- Ingestion points: MR diffs fetched via
glab mr diffand existing MR comments fetched viaglab mr note list. - Boundary markers: The prompts use markdown headers (e.g.,
## Diff,## Existing MR Comments) to separate data, but they lack explicit instructions for the model to ignore any instructions embedded within the diff or comments. - Capability inventory: The skill has access to the
bashtool for executing CLI commands and theskilltool to trigger theneo-team-copilotskill, which performs automated code changes. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from GitLab before it is passed to the specialist agents.
Audit Metadata