gitlab
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
glabCLI to perform a wide range of GitLab operations. This includes read-only actions likeglab mr viewandglab mr diff, as well as actions that modify the repository or CI state, such asglab mr note,glab mr approve, andglab ci retry. - [DATA_EXFILTRATION]: To configure its sub-agents, the skill reads instruction files from the local filesystem at
~/.claude/agents/code-reviewer.agent.mdand~/.claude/agents/security.agent.md. It also reads the project'sCLAUDE.mdfile. The contents of these files are included in prompts sent to external LLMs (Claude Opus and Sonnet). - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it incorporates untrusted external data into agent prompts.
- Ingestion points: Untrusted data enters the context through
glab mr diff(the code being reviewed) and the project'sCLAUDE.mdfile. - Boundary markers: The skill uses basic Markdown headers (e.g.,
## Diff,## Project Conventions) to delimit data, which does not provide strong protection against instructions embedded within that data. - Capability inventory: The agent has the ability to post comments, approve Merge Requests, and manage CI/CD pipelines via the
glabCLI. - Sanitization: There is no evidence of sanitization or escaping of the diff content or project conventions before they are interpolated into the reviewer prompts.
Audit Metadata