The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external GitLab entities.
Ingestion points: Data from tools like get_issue, get_merge_request_notes, search_code, and get_pipeline_job_output can contain malicious instructions from third-party contributors.
Boundary markers: There are no explicit instructions to wrap retrieved content in delimiters or to ignore embedded commands.
Capability inventory: The skill provides powerful tools for committing code (push_files), triggering pipelines (create_pipeline), and downloading files (download_job_artifacts).
Sanitization: The instructions do not define sanitization or filtering logic for data retrieved from the GitLab API.
[COMMAND_EXECUTION]: The tool download_job_artifacts accepts a local_path parameter, allowing the agent to write artifact files directly to the local file system. This capability should be used with caution to prevent overwriting sensitive local files.
[COMMAND_EXECUTION]: The skill includes high-impact tools such as push_files, create_or_update_file, and execute_graphql which allow the agent to perform significant modifications to remote repositories and execute arbitrary queries against the GitLab instance.

gitlab-mcp-skill