gitlab-claude

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests GitLab MR data (MR view, diffs, notes/comments via glab mr view, glab mr diff, glab mr note list) and CI job logs (glab ci trace), and it uses those user-generated third-party comments/diffs/logs as context that directly drives reviews, fixes, and agent actions, allowing malicious or crafted content to influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill accepts user-provided GitLab MR URLs (e.g., https://gitlab.com/group/subgroup/project/-/merge_requests/42) and at runtime uses glab to fetch MR JSON, diffs, and notes which are then injected verbatim into spawned agent prompts, meaning external content directly controls prompts and is a required runtime dependency.