中文 EN
Start Review
Skill Trust Decision

gitlab

Skill contains hardcoded GitLab API token and undocumented script that uses subprocess with curl, creating significant credential exposure and exfiltration risk.

Install decision first Source: Manual upload Scanned: Apr 3, 2026
Files 6
Artifacts 9
Violations 1
Findings 4
Most direct threat evidence
Critical
Hardcoded GitLab API Token

Personal Access Token 'glpat-UEfWfdCYx9e46BQnW5nz' for host 'https://git.littaro.cn' is hardcoded in plaintext in scripts/fetch_repos.py. This token could be scraped and used to access all repositories the token has permission for.

scripts/fetch_repos.py:7

Why this conclusion was reached

3/4 dimensions flagged
Block
Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Block
Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block
Attack chain and severe findings

The report includes 3 attack-chain steps and 3 severe findings.

Review
Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

01
fetch_repos.py contains hardcoded GitLab token for git.littaro.cn

Entry · scripts/fetch_repos.py:7

02
Undocumented subprocess with curl executes API calls using hardcoded token

Escalation · scripts/fetch_repos.py:14

03
Credential exposure through hardcoded PAT allows unauthorized repository access

Impact · scripts/fetch_repos.py:7

What drove the risk score up

Hardcoded API token +30

GitLab PAT glpat-UEfWfdCYx9e46BQnW5nz hardcoded in scripts/fetch_repos.py:7

Hidden script functionality +20

fetch_repos.py not documented in SKILL.md, uses undocumented subprocess/curl

Undeclared shell execution +15

SKILL.md does not mention subprocess or curl usage for API calls

SSL verification disabled +5

-k flag in curl allows MITM attacks on credential transmission

Most important evidence

Critical

Hardcoded GitLab API Token

Personal Access Token 'glpat-UEfWfdCYx9e46BQnW5nz' for host 'https://git.littaro.cn' is hardcoded in plaintext in scripts/fetch_repos.py. This token could be scraped and used to access all repositories the token has permission for.

scripts/fetch_repos.py:7
Remove hardcoded token and require config.json for all credential handling
High

Undocumented Script with Subprocess

fetch_repos.py uses subprocess.run() with curl to fetch repositories, but this functionality is not declared in SKILL.md. Users have no awareness this script exists or that it performs network operations.

scripts/fetch_repos.py:14
Document all scripts in SKILL.md or remove undocumented implementations
High

Disabled SSL Verification

curl command uses -k flag to skip SSL certificate verification, exposing credentials to interception in MITM attacks.

scripts/fetch_repos.py:15
Remove -k flag or implement proper SSL verification for production use
Medium

Data Exfiltration Risk

The hidden fetch_repos.py script fetches all accessible repositories and could be modified to exfiltrate repository list to external servers. The hardcoded host and token combination makes this particularly risky.

scripts/fetch_repos.py:7
Audit all scripts for data transmission behavior not present in documented skill capabilities

Declared capability vs actual capability

Filesystem Pass
Declared READ
Inferred READ
SKILL.md states read access only
Network Pass
Declared READ
Inferred READ
SKILL.md documents API operations
Shell Block
Declared NONE
Inferred WRITE
fetch_repos.py:14-18 uses subprocess.run()

Suspicious artifacts and egress

Critical API Key
glpat-UEfWfdCYx9e46BQnW5nz

scripts/fetch_repos.py:7

Medium External URL
https://gitlab.example.com

SKILL.md:16

Medium External URL
https://gitlab.example.com/username/my-project

SKILL.md:61

Medium External URL
https://gitlab.example.com/username/my-project.git

SKILL.md:62

Medium External URL
https://gitlab.example.com/group/project

SKILL.md:85

Medium External URL
https://oauth2:TOKEN@host/project.git

SKILL.md:92

Medium External URL
https://gitlab.example.com/group/project-name

SKILL.md:116

Medium External URL
https://git.littaro.cn

scripts/fetch_repos.py:8

Medium External URL
https://host/group/project

scripts/gitlab_api.py:112

Dependencies and supply chain

There are no structured dependency warnings.

File composition

6 files · 1177 lines
Python 3 files · 794 linesMarkdown 1 files · 326 linesJSON 2 files · 57 lines
Files of concern · 4
scripts/config.json JSON · 4 lines
scripts/gitlab_api.py Python · 698 lines
https://host/group/project
SKILL.md Markdown · 326 lines
https://gitlab.example.com · https://gitlab.example.com/username/my-project · https://gitlab.example.com/username/my-project.git · https://gitlab.example.com/group/project · https://oauth2:TOKEN@host/project.git · https://gitlab.example.com/group/project-name
scripts/fetch_repos.py Python · 33 lines
Hardcoded GitLab API Token · Undocumented Script with Subprocess · Disabled SSL Verification · Data Exfiltration Risk · glpat-UEfWfdCYx9e46BQnW5nz · https://git.littaro.cn
Other files · evals.json · list_repos.py

Security positives

gitlab_api.py uses config.json for credentials (proper credential handling)
list_repos.py reads credentials from config.json only
SKILL.md documents proper config.json usage for user credentials
Skill functionality (GitLab operations) is legitimate and documented