Trust Assessment
gitlab-manager received a trust score of 94/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 1 medium, and 0 low severity. Key findings include Unencoded user input in URL query parameter.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unencoded user input in URL query parameter The `state` parameter in the `listMergeRequests` function is taken directly from command-line arguments (`args[2]`) and interpolated into the URL query string without being URL-encoded. This allows an attacker to inject arbitrary query parameters into the GitLab API request, potentially leading to data exfiltration (e.g., by overriding pagination limits or filtering criteria) or unexpected API behavior. Ensure all user-supplied parameters interpolated into URLs are properly URL-encoded using `encodeURIComponent()`. Specifically, change `?state=${state}` to `?state=${encodeURIComponent(state)}`. | LLM | scripts/gitlab_api.js:60 |
Scan History
Embed Code
[](https://skillshield.io/report/95680950f5346297)
Powered by SkillShield