gitlab-copilot

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to fetch and embed full MR diffs into agent prompts, review outputs, handoff contexts, and posted comments (and does not require or enforce scrubbing), so any secrets present in those diffs would be read and likely included verbatim in generated outputs or downstream skill invocations.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches MR data, diffs, and "existing comments" from GitLab using glab commands (e.g., "glab mr view", "glab mr diff", "glab mr note list") and injects summaries of those user-generated MR comments into specialist-agent prompts and decision logic (MR Review / MR Fix workflows), exposing the agent to untrusted third-party content that can influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill fetches GitLab Merge Request URLs at runtime (e.g., https://gitlab.com/group/subgroup/project/-/merge_requests/42) and injects the MR JSON/diff into spawned agent prompts to drive code/security/QA reviews, so the externally fetched MR content directly controls agent instructions and is a required runtime dependency.