gitlab-cli-skills 安全扫描报告 — 低风险 | ClawSafe

10 /100

gitlab-cli-skills

Comprehensive GitLab CLI (glab) command reference and workflows for all GitLab operations via terminal

This is a legitimate GitLab CLI (glab) documentation/reference skill with no malicious behavior. The only finding is a documentation example showing a masked PAT format, which is a false positive since the token is redacted.

技能名称gitlab-cli-skills

分析耗时43.0s

引擎pi

✓

可以安装

No action required. This skill provides safe, documented access to GitLab CLI operations through the legitimate glab binary.

安全发现 2 项

严重性	安全发现	位置
提示	Masked PAT format example in documentation Line 178 of glab-auth/references/commands.md shows 'glpat-xxxxxxxxxxxxxxxxxxxx' as a command example. This is a redacted/masked placeholder showing the expected PAT format, not an actual credential. `$ glab auth dpop-gen --private-key "~/.ssh/id_rsa" --pat "glpat-xxxxxxxxxxxxxxxxxxxx"` → No action needed - this is a legitimate documentation example with redacted token	`glab-auth/references/commands.md:178`
提示	No executable scripts present SKILL.md references scripts/ directory for workflows but no scripts/ directory exists. This is a pure documentation/reference skill. `Scripts in this skill can post comments...` → Documentation may reference non-existent scripts - consider removing or adding scripts if needed	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: requires network access to GitLab API via HTTPS
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: mentions ~./ssh/id_rsa and ~/.docker/config.json for DPoP and registry…
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: reads GITLAB_TOKEN, GITLAB_HOST env vars
命令执行	`NONE`	`NONE`	—	No shell execution - skill is documentation only, relies on glab binary

1 严重 50 项发现

🔑

严重 API 密钥硬编码 API 密钥

glpat-xxxxxxxxxxxxxxxxxxxx

glab-auth/references/commands.md:178

🔗

中危外部 URL 外部 URL

https://gitlab.com/gitlab-org/cli/-/releases

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://gitlab.com

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/api/

glab-api/SKILL.md:20

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/api/graphql/

glab-api/SKILL.md:21

🔗

中危外部 URL 外部 URL

https://jsonlines.org/

glab-api/SKILL.md:74

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/api/attestations/

glab-attestation/references/commands.md:38

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/ci/pipeline_security/slsa/provenance_v1/

glab-attestation/references/commands.md:39

🔗

中危外部 URL 外部 URL

https://slsa.dev/attestation-model

glab-attestation/references/commands.md:40

🔗

中危外部 URL 外部 URL

https://docs.sigstore.dev/cosign/system_config/installation/

glab-attestation/references/commands.md:43

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/cli/auth/

glab-auth/references/commands.md:3

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/user/profile/personal_access_tokens/#require-dpop-headers-with-personal-

glab-auth/references/commands.md:156

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/policy/development_stages_support/

glab-auth/references/commands.md:165

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/ci/jobs/job_rules/#ci_pipeline_source-predefined-variable

glab-ci/references/commands.md:213

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/editor_extensions/gitlab_cli/#run-…

glab-ci/references/commands.md:307

🔗

中危外部 URL 外部 URL

https://staging.example.com

glab-ci/references/pipeline-best-practices.md:193

🔗

中危外部 URL 外部 URL

https://gitlab.com/your-group/your-project/badges/main/coverage.svg

glab-ci/references/pipeline-best-practices.md:294

🔗

中危外部 URL 外部 URL

https://api.example.com

glab-ci/references/pipeline-best-practices.md:569

🔗

中危外部 URL 外部 URL

https://staging-api.example.com

glab-ci/references/pipeline-best-practices.md:577

🔗

中危外部 URL 外部 URL

https://$CI_COMMIT_REF_SLUG.review.example.com

glab-ci/references/pipeline-best-practices.md:609

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/ee/ci/yaml/

glab-ci/references/pipeline-best-practices.md:663

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/ee/ci/examples/

glab-ci/references/pipeline-best-practices.md:664

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/ee/ci/pipelines/pipeline_efficiency.html

glab-ci/references/pipeline-best-practices.md:665

🔗

中危外部 URL 外部 URL

https://docs.brew.sh/Shell-Completion

glab-completion/SKILL.md:97

🔗

中危外部 URL 外部 URL

http://proxy.example.com:8080

glab-config/SKILL.md:60

🔗

中危外部 URL 外部 URL

https://gitlab.mycompany.com

glab-config/SKILL.md:111

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/user/gitlab_duo_cli/

glab-duo/SKILL.md:19

🔗

中危外部 URL 外部 URL

https://gitlab.com/groups/gitlab-org/-/work_items/20826

glab-duo/SKILL.md:22

🔗

中危外部 URL 外部 URL

https://gitlab.com/NAMESPACE/REPO/-/issues/incident/123

glab-incident/references/commands.md:46

🔗

中危外部 URL 外部 URL

https://gitlab.com/OWNER/REPO/-/issues/incident/123

glab-incident/references/commands.md:150

🔗

中危外部 URL 外部 URL

https://gitlab.com/NAMESPACE/REPO/-/issues/123

glab-issue/references/commands.md:74

🔗

中危外部 URL 外部 URL

https://gitlab.com/profclems/glab/-/issues/123

glab-issue/references/commands.md:138

🔗

中危外部 URL 外部 URL

https://gitlab.com/OWNER/REPO/-/issues/123

glab-issue/references/commands.md:244

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/policy/development_stages_support/.

glab-mcp/SKILL.md:21

🔗

中危外部 URL 外部 URL

https://gitlab.com/api/v4/projects/

glab-mr/SKILL.md:182

🔗

中危外部 URL 外部 URL

https://gitlab.com/gitlab-org/cli/-/merge_requests/1234

glab-mr/references/commands.md:130

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/user/project/quick_actions/

glab-quick-actions/SKILL.md:424

🔗

中危外部 URL 外部 URL

https://gitlab.com/upstream-group/project.git

glab-repo/SKILL.md:69

🔗

中危外部 URL 外部 URL

https://gitlab.com/gitlab-org/cli

glab-repo/references/commands.md:92

🔗

中危外部 URL 外部 URL

https://username:[email protected]/org/repo

glab-repo/references/commands.md:378

🔗

中危外部 URL 外部 URL

https://gitlab.example.com/org/repo

glab-repo/references/commands.md:390

🔗

中危外部 URL 外部 URL

https://username:[email protected]/org/priv…

glab-repo/references/commands.md:393

🔗

中危外部 URL 外部 URL

https://gitlab-backup.example.com/backup/myproject

glab-repo/references/commands.md:399

🔗

中危外部 URL 外部 URL

https://gitlab-backup.example.com/backup/repo

glab-repo/references/commands.md:402

🔗

中危外部 URL 外部 URL

https://gitlab.company.org/user/repo

glab-repo/references/commands.md:540

🔗

中危外部 URL 外部 URL

https://gitlab.company.org/user/repo.git

glab-repo/references/commands.md:541

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/api/user_tokens/#create-a-personal-access-token

glab-token/references/commands.md:45

🔗

中危外部 URL 外部 URL

https://docs.gitlab.com/user/profile/personal_access_tokens/#personal-access-token-scopes.

glab-token/references/commands.md:83

📧

提示邮箱邮箱地址

[email protected]

glab-repo/references/commands.md:378

📧

提示邮箱邮箱地址

[email protected]

glab-repo/references/commands.md:539

目录结构

75 文件 · 435.6 KB · 11803 行

Markdown 72f · 11466L YAML 3f · 337L

├─ ▾ 📁 glab-alias

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 105L · 5.1 KB

│ └─ 📝 SKILL.md Markdown 37L · 975 B

├─ ▾ 📁 glab-api

│ └─ 📝 SKILL.md Markdown 173L · 6.3 KB

├─ ▾ 📁 glab-attestation

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 64L · 3.2 KB

│ └─ 📝 SKILL.md Markdown 43L · 1.5 KB

├─ ▾ 📁 glab-auth

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 192L · 6.1 KB

│ └─ 📝 SKILL.md Markdown 199L · 7.5 KB

├─ ▾ 📁 glab-changelog

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 47L · 1.7 KB

│ └─ 📝 SKILL.md Markdown 35L · 858 B

├─ ▾ 📁 glab-check-update

│ └─ 📝 SKILL.md Markdown 38L · 1.6 KB

├─ ▾ 📁 glab-ci

│ ├─ ▾ 📁 references

│ │ ├─ 📝 commands.md Markdown 516L · 28.1 KB

│ │ └─ 📝 pipeline-best-practices.md Markdown 671L · 12.4 KB

│ ├─ ▾ 📁 templates

│ │ ├─ 📋 docker-build.yml YAML 122L · 2.8 KB

│ │ ├─ 📋 nodejs-basic.yml YAML 85L · 1.4 KB

│ │ ├─ 📋 nodejs-multistage.yml YAML 130L · 2.6 KB

│ │ └─ 📝 README.md Markdown 296L · 6.3 KB

│ └─ 📝 SKILL.md Markdown 311L · 7.5 KB

├─ ▾ 📁 glab-cluster

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 57L · 2.2 KB

│ └─ 📝 SKILL.md Markdown 51L · 1.6 KB

├─ ▾ 📁 glab-completion

│ └─ 📝 SKILL.md Markdown 118L · 10.9 KB

├─ ▾ 📁 glab-config

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 129L · 6.4 KB

│ └─ 📝 SKILL.md Markdown 116L · 5.1 KB

├─ ▾ 📁 glab-deploy-key

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 123L · 4.4 KB

│ └─ 📝 SKILL.md Markdown 53L · 1.7 KB

├─ ▾ 📁 glab-duo

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 67L · 4.1 KB

│ └─ 📝 SKILL.md Markdown 67L · 1.9 KB

├─ ▾ 📁 glab-gpg-key

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 113L · 3.3 KB

│ └─ 📝 SKILL.md Markdown 53L · 1.6 KB

├─ ▾ 📁 glab-help

│ └─ 📝 SKILL.md Markdown 31L · 743 B

├─ ▾ 📁 glab-incident

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 209L · 8.1 KB

│ └─ 📝 SKILL.md Markdown 46L · 1.5 KB

├─ ▾ 📁 glab-issue

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 337L · 13.6 KB

│ └─ 📝 SKILL.md Markdown 147L · 3.4 KB

├─ ▾ 📁 glab-iteration

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 49L · 1.4 KB

│ └─ 📝 SKILL.md Markdown 36L · 963 B

├─ ▾ 📁 glab-job

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 46L · 1.4 KB

│ └─ 📝 SKILL.md Markdown 125L · 3.3 KB

├─ ▾ 📁 glab-label

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 150L · 4.5 KB

│ └─ 📝 SKILL.md Markdown 117L · 3.3 KB

├─ ▾ 📁 glab-mcp

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 84L · 5.6 KB

│ └─ 📝 SKILL.md Markdown 57L · 2.8 KB

├─ ▾ 📁 glab-milestone

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 188L · 8.2 KB

│ └─ 📝 SKILL.md Markdown 54L · 1.6 KB

├─ ▾ 📁 glab-mr

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 692L · 22.7 KB

│ └─ 📝 SKILL.md Markdown 381L · 10.6 KB

├─ ▾ 📁 glab-opentofu

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 79L · 3.1 KB

│ └─ 📝 SKILL.md Markdown 47L · 1.4 KB

├─ ▾ 📁 glab-quick-actions

│ └─ 📝 SKILL.md Markdown 426L · 13.8 KB

├─ ▾ 📁 glab-release

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 286L · 18.1 KB

│ └─ 📝 SKILL.md Markdown 63L · 2.2 KB

├─ ▾ 📁 glab-repo

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 550L · 30.6 KB

│ └─ 📝 SKILL.md Markdown 227L · 5.2 KB

├─ ▾ 📁 glab-runner

│ └─ 📝 SKILL.md Markdown 226L · 6.5 KB

├─ ▾ 📁 glab-runner-controller

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 464L · 11.9 KB

│ └─ 📝 SKILL.md Markdown 269L · 7.5 KB

├─ ▾ 📁 glab-schedule

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 155L · 5.5 KB

│ └─ 📝 SKILL.md Markdown 50L · 1.5 KB

├─ ▾ 📁 glab-securefile

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 191L · 9.4 KB

│ └─ 📝 SKILL.md Markdown 44L · 1.8 KB

├─ ▾ 📁 glab-snippet

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 82L · 3.6 KB

│ └─ 📝 SKILL.md Markdown 41L · 1.4 KB

├─ ▾ 📁 glab-ssh-key

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 136L · 4.9 KB

│ └─ 📝 SKILL.md Markdown 76L · 2.4 KB

├─ ▾ 📁 glab-stack

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 386L · 19.6 KB

│ └─ 📝 SKILL.md Markdown 72L · 3.4 KB

├─ ▾ 📁 glab-token

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 224L · 15.5 KB

│ └─ 📝 SKILL.md Markdown 39L · 1.3 KB

├─ ▾ 📁 glab-user

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 40L · 923 B

│ └─ 📝 SKILL.md Markdown 35L · 799 B

├─ ▾ 📁 glab-variable

│ ├─ ▾ 📁 references

│ │ └─ 📝 commands.md Markdown 206L · 8.3 KB

│ └─ 📝 SKILL.md Markdown 41L · 1.4 KB

├─ ▾ 📁 glab-version

│ └─ 📝 SKILL.md Markdown 30L · 630 B

├─ ▾ 📁 glab-workitems

│ └─ 📝 SKILL.md Markdown 116L · 3.2 KB

├─ 📝 README.md Markdown 95L · 2.7 KB

└─ 📝 SKILL.md Markdown 347L · 14.1 KB

安全亮点

✓ HTTPS enforced for all GitLab API communication - token never sent over HTTP

✓ Clear security warnings about never uploading private SSH keys

✓ Well-documented credential management with multi-actor identity guidance

✓ DPoP SSH key access explicitly declared in documentation

✓ Token environment variable precedence clearly documented

✓ No suspicious patterns: no base64 encoding, no curl|bash, no direct IP connections

✓ No credential exfiltration observed - skill is read-only documentation

✓ 40+ sub-skills organized by function with clear security boundaries