中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
gitlab
GitLab operations including creating and cloning repositories, listing projects, managing issues, merge requests, branches, commits, and pipelines
Legitimate GitLab CLI wrapper with minor documentation gaps: shell:WRITE via subprocess not explicitly declared, SSL bypass documented, but no malicious behavior detected.
Skill Namegitlab
Duration65.2s
Enginepi
Safe to install
Consider updating SKILL.md to explicitly declare shell:WRITE capability for git clone and curl operations, and add security notes about --insecure flag usage in production.

Findings 3 items

Severity Finding Location
Medium
Shell execution not declared in SKILL.md Doc Mismatch
SKILL.md declares network:READ capability but code uses subprocess.run() to execute git clone and curl commands, requiring shell:WRITE. The 'git operations' mentioned in clone workflow implicitly require shell access.
subprocess.run(['git', 'clone', clone_url, str(target_dir)], ...)
→ Update SKILL.md to declare shell:WRITE for git and curl operations
 scripts/gitlab_api.py:140
Low
SSL verification bypass flag Priv Escalation
The --insecure flag uses ssl._create_unverified_context() and curl -k, bypassing SSL certificate verification. This is useful for internal GitLab with self-signed certs but could enable MITM attacks if misused.
self.ssl_context = ssl._create_unverified_context()
→ Add prominent warning in SKILL.md that --insecure should not be used in production over untrusted networks
 scripts/gitlab_api.py:46
Info
All resources declared as NONE Doc Mismatch
SKILL.md shows all resources as NONE in capability matrix but code uses filesystem:READ for config files and shell:WRITE for git operations
Capability model declares all NONE
→ Update capability matrix to reflect actual resource usage
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned Scripts make HTTPS requests to GitLab API endpoints
Shell NONE WRITE ✗ Violation gitlab_api.py:140-148 (git clone), gitlab_api.py:159-174 (_make_request_curl), f…
Filesystem NONE READ ✗ Violation credential_loader.py reads ~/.claude/gitlab_config.json and scripts/config.json
9 findings
🔗
Medium External URL 外部 URL
https://gitlab.example.com
SKILL.md:19
🔗
Medium External URL 外部 URL
https://gitlab.example.com/username/my-project
SKILL.md:236
🔗
Medium External URL 外部 URL
https://gitlab.example.com/username/my-project.git
SKILL.md:237
🔗
Medium External URL 外部 URL
https://gitlab.example.com/group/project
SKILL.md:260
🔗
Medium External URL 外部 URL
https://oauth2:TOKEN@host/project.git
SKILL.md:267
🔗
Medium External URL 外部 URL
https://gitlab.example.com/group/project-name
SKILL.md:291
🔗
Medium External URL 外部 URL
https://gitlab.example.com/user/settings/tokens
scripts/config.json:3
🔗
Medium External URL 外部 URL
https://gitlab.example.com\
scripts/credential_loader.py:265
🔗
Medium External URL 外部 URL
https://host/group/project
scripts/gitlab_api.py:130

File Tree

8 files · 66.8 KB · 1921 lines
Python 4f · 1354L Markdown 1f · 501L JSON 3f · 66L
├─ 📁 evals
│ └─ 📋 evals.json JSON 53L · 2.3 KB
├─ 📁 scripts
│ ├─ 📋 config.example.json JSON 6L · 227 B
│ ├─ 🔑 config.json JSON 7L · 336 B
│ ├─ 🔑 credential_loader.py Python 351L · 11.3 KB
│ ├─ 🐍 fetch_repos.py Python 92L · 2.6 KB
│ ├─ 🐍 gitlab_api.py Python 840L · 31.2 KB
│ └─ 🐍 list_repos.py Python 71L · 2.2 KB
└─ 📝 SKILL.md Markdown 501L · 16.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
stdlib Built-in Python standard library No Uses urllib, ssl, subprocess, json - all standard library

Security Positives

✓ No credential theft or exfiltration - tokens used only for GitLab API authentication
✓ No obfuscation techniques (base64, eval, etc.) detected
✓ Credential loader validates tokens and filters placeholders
✓ User config files created with restrictive 0o600 permissions
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2 communication, or data theft patterns
✓ Network requests limited to configured GitLab host only
✓ Clean, readable code with no suspicious patterns