gitlab-exploit

该技能与其声明目的基本一致，但声明目的本身就是为AI代理提供可操作的GitLab漏洞利用与账户接管能力。不存在明显供应链或第三方凭据转发问题，但其真实作用是帮助代理执行进攻性安全操作，包含RCE、任意文件读取和密码重置接管，因此应判定为高风险、可疑且不适合普通技能分发。

This code is highly indicative of malicious/offensive exploitation tooling. It weaponizes GitLab weaknesses to (1) trigger server-side command execution by embedding an attacker-controlled Perl `qx{...}` command inside DjVu metadata processed by ExifTool and (2) obtain arbitrary server file contents via authenticated path traversal crafted around an uploaded attachment URL. It automates CSRF handling, authentication, prerequisite resource creation, and then prints sensitive results to the operator console. It is not suitable for use as a benign dependency.

This module is high-confidence malicious offensive tooling: it actively exploits GitLab password reset weaknesses (CVE-2023-7028) by submitting crafted dual-email reset requests and then performs an automated password change using externally obtained reset_password_token and CSRF/authenticity tokens. It also contains reconnaissance logic, but the presence of an end-to-end account takeover chain makes the overall risk extreme. Treat as unsafe for any supply-chain use and do not execute or distribute.