Safety Report

Gitlab Manager

Name: Gitlab Manager
Rating: 3 (2 reviews)
Author: jorgermp

Manage GitLab repositories, merge requests, and issues via API. Use for tasks like creating repos, reviewing code in MRs, or tracking issues.

2,265Downloads

0Installs

2Stars

1Versions

API Integration4,971 Project Management1,537 PDF & Documents1,388 Git & Version Control784

Security Analysis

high confidence

Suspicious

The skill's code and SKILL.md legitimately use a GitLab personal access token, but the registry metadata does not declare that required credential — this mismatch is an incoherence you should resolve before installing.

Feb 11, 20262 files2 concerns

Purpose & Capabilityconcern

The name/description, SKILL.md, and the included script consistently implement GitLab API operations (create repo, list/comment MRs, create issues) calling https://gitlab.com/api/v4. However the registry metadata claims no required environment variables or primary credential while both SKILL.md and the script require GITLAB_TOKEN. That metadata omission is disproportionate and reduces transparency about needed credentials.

Instruction Scopeok

SKILL.md limits runtime actions to running the provided Node script to talk to the GitLab API. The instructions do not ask the agent to read unrelated files or send data to endpoints other than GitLab. The runtime behavior is scoped to repository/MR/issue operations.

Install Mechanismok

There is no install spec (instruction-only) and the package only includes a short Node script. Nothing is downloaded or extracted from external/untrusted URLs.

Credentialsconcern

Requiring a GITLAB_TOKEN (PAT with 'api' scope) is appropriate for the declared functionality, but the registry metadata does not list this required env var or a primary credential. That mismatch is problematic because the platform may not prompt you to provide a token or treat it as a secret. Also, giving a PAT to an installed skill grants it direct API access to your projects — you should ensure the token is least-privilege, short-lived, and issued only if you trust the skill.

Persistence & Privilegeok

always is false and there are no config paths or system-wide changes requested. The skill can be invoked autonomously (platform default) — normal for skills, but note that autonomous invocation plus a supplied PAT allows the skill to act on your GitLab resources without further prompts.

Guidance

Before installing: (1) Ask the publisher/registry to update the metadata to declare GITLAB_TOKEN as a required credential so the platform can treat it as a secret. (2) Inspect the included script (it's short) and confirm it only talks to https://gitlab.com/api/v4 (no hidden endpoints). (3) If you proceed, create a dedicated GitLab Personal Access Token with the minimum scopes and expiration needed (avoid broad scopes), and store it in the platform's secret store rather than passing it on the command line. (4) Consider running the script locally or in an isolated environment first. (5) If you cannot verify the origin/trustworthiness of the skill (source is unknown), prefer not to grant a PAT to it.

Latest Release

v1.0.0

Initial release of gitlab-manager. - Manage GitLab repositories, merge requests, and issues via the API. - Supports creating repositories, listing and commenting on merge requests, and creating issues using a Node.js script. - Requires GITLAB_TOKEN with appropriate API permissions. - Designed for simple command-line integration and automation of common GitLab tasks.

More by @jorgermp

Task Monitor

8 stars

eMail manager lite

2 stars

Google Photos Manager for OpenClaw

1 stars

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Published by @jorgermp on ClawHub