Description

Manage GitLab projects from the command line: create, review, merge MRs; manage issues; monitor and trigger CI/CD; support self-hosted instances and automation.

README (SKILL.md)

GitLab CLI (glab)

Name: glab
Author: bezkom

Official CLI for GitLab. Manage issues, merge requests, pipelines, and more from the terminal.

Source: Inspired by NikiforovAll/glab-skill on Smithery.

⚠️ Security Notice

The glab api command provides unrestricted GitLab API access with your token.

A compromised or overly-permissive token can delete projects, modify settings, expose secrets
Recommendation: Use tokens with minimal scopes:
- read_api - Read-only operations
- api - Full access (only when write operations needed)
For automation, consider project-level tokens with limited scope
Never use tokens with sudo scope unless required

Prerequisites

Required binaries:

glab - GitLab CLI
jq - JSON processor (for scripts and API parsing)

Required credentials:

GITLAB_TOKEN - GitLab personal access token

Optional configuration:

GITLAB_HOST - Self-hosted GitLab instance (default: gitlab.com)

# Verify installation
glab --version
jq --version

# Authenticate (interactive)
glab auth login

# Or via environment
export GITLAB_TOKEN="glpat-xxxxxxxxxxxxxxxxxxxx"
export GITLAB_HOST="gitlab.example.org"  # for self-hosted

# Verify auth
glab auth status

Quick Reference

Merge Requests:

glab mr create --title "Fix" --description "Closes #123"
glab mr list --reviewer=@me          # MRs awaiting your review
glab mr checkout 123                  # Test MR locally
glab mr approve 123 && glab mr merge 123

Issues:

glab issue create --title "Bug" --label=bug
glab issue list --assignee=@me
glab issue close 456

CI/CD:

glab ci status                        # Current pipeline status
glab pipeline ci view                 # Watch pipeline live
glab ci lint                          # Validate .gitlab-ci.yml
glab ci retry                         # Retry failed pipeline

Working Outside Repo:

glab mr list -R owner/repo            # Specify repository

Advanced API Access:

See references/api-advanced.md for glab api usage. This command enables arbitrary GitLab API calls and should be used with appropriately-scoped tokens.

Core Workflows

Create and Merge MR

# 1. Push branch
git push -u origin feature-branch

# 2. Create MR
glab mr create --title "Add feature" --description "Implements X" --reviewer=alice,bob --label="enhancement"

# 3. After approval, merge
glab mr approve 123
glab mr merge 123 --remove-source-branch

Review MR

# List MRs for review
glab mr list --reviewer=@me

# Checkout and test
glab mr checkout 123

# Approve or comment
glab mr approve 123
glab mr note 123 -m "Looks good, just one suggestion..."

Monitor Pipeline

# Watch current branch pipeline
glab pipeline ci view

# Check specific pipeline
glab ci view 456

# View failed job logs
glab ci trace

# Retry
glab ci retry

Self-Hosted GitLab

# Set default host
export GITLAB_HOST=gitlab.example.org

# Or per-command
glab mr list -R gitlab.example.org/owner/repo

Scripts

Script	Description
`glab-mr-await.sh`	Wait for MR approval and successful pipeline
`glab-pipeline-watch.sh`	Monitor pipeline with exit codes for CI

# Wait for MR to be approved and merged
./scripts/glab-mr-await.sh 123 --timeout 600

# Watch pipeline, exit 0 on success, 1 on failure
./scripts/glab-pipeline-watch.sh --timeout 300

Script environment variables:

TIMEOUT - Max wait time in seconds (default varies by script)
INTERVAL - Polling interval in seconds (default 5-10s)

Troubleshooting

Error	Fix
`command not found: glab`	Install glab
`command not found: jq`	Install jq
`401 Unauthorized`	Set `GITLAB_TOKEN` or run `glab auth login`
`404 Project Not Found`	Verify repo name and permissions
`not a git repository`	Use `-R owner/repo` flag
`source branch already has MR`	`glab mr list` to find existing

For detailed troubleshooting, see references/troubleshooting.md.

Progressive Disclosure

references/api-advanced.md - glab api usage with security considerations
references/commands-detailed.md - Full command reference with all flags
references/troubleshooting.md - Detailed error scenarios and solutions

Load these when you need specific flag details or are debugging issues.

Best Practices

Always verify auth: glab auth status
Use minimal-scope tokens for read operations
Link MRs to issues: "Closes #123" in description
Lint CI config before pushing: glab ci lint
Use --output=json for scripting
Most commands have --web to open in browser

Usage Guidance

This skill appears to be a legitimate glab (GitLab CLI) helper and the scripts are straightforward, but note two things: (1) the registry metadata does not declare the required binaries (glab, jq) or the required GITLAB_TOKEN though SKILL.md and the scripts do — treat that as a red flag in the packaging and confirm requirements before installing; (2) `glab api` can perform arbitrary API operations with your token, so only provide a token with the minimal scopes needed (prefer project-level tokens and read_api for read-only tasks). Before installing/run: inspect the two scripts locally, ensure you have glab and jq from trusted package sources (brew/apt), and never supply tokens with admin/sudo scope unless absolutely necessary. If you want to raise confidence to 'benign', ask the publisher to fix the registry metadata to list required binaries and env vars (GITLAB_TOKEN) and to confirm the install spec.

Capability Analysis

Type: OpenClaw Skill Name: glab Version: 1.0.4 The OpenClaw AgentSkills skill bundle for 'glab' is classified as benign. While the underlying GitLab CLI (`glab`) is a powerful tool capable of destructive actions (especially via `glab api`), the skill's documentation (SKILL.md, references/api-advanced.md) explicitly and repeatedly warns about these capabilities and strongly recommends using GitLab tokens with minimal scopes (e.g., `read_api`). The provided scripts (`glab-mr-await.sh`, `glab-pipeline-watch.sh`) use `glab` for legitimate, read-only monitoring tasks. There is no evidence of intentional malicious behavior, data exfiltration, persistence mechanisms, obfuscation, or prompt injection attempts designed to trick the AI agent into unauthorized actions. The skill is transparent about its functionality and associated security risks, promoting secure usage.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md and included scripts clearly require the glab CLI, jq, and a GITLAB_TOKEN, and they document install via Homebrew/apt. However the registry-level requirements reported earlier list no required binaries and no required env vars — that mismatch is an incoherence: the skill legitimately needs glab/jq and a GitLab token, but the registry metadata does not declare them.

✓ Instruction Scope

The runtime instructions and scripts stay within the stated purpose (creating/listing MRs, watching pipelines, and calling the GitLab API). The README explicitly warns that `glab api` allows arbitrary API calls and recommends minimal token scopes. The scripts call only glab and jq and do not read other system files or reach out to endpoints beyond the target GitLab instance.

ℹ Install Mechanism

No remote downloads or custom installers are present; SKILL.md suggests installing glab and jq via brew/apt (standard package managers). The registry manifest earlier claimed 'no install spec', while the skill's own metadata lists package manager install options — this inconsistency should be reconciled but the install sources themselves are low-risk (official package managers).

⚠ Credentials

The skill requires a GITLAB_TOKEN (and optionally GITLAB_HOST/TIMEOUT/INTERVAL) which is appropriate for a GitLab CLI. However the registry metadata listing no required env vars is inconsistent with SKILL.md. Also `glab api` enables unrestricted API calls: a token with overly broad scopes (api or sudo) would allow destructive or exfiltrative actions, so using minimal-scoped/project-level tokens is necessary.

✓ Persistence & Privilege

The skill does not request always:true, does not claim to persist or modify other skills, and contains only shell scripts and documentation. It does not request elevated or system-wide privileges beyond running glab/jq commands in the user's environment.

Version History

v1.0.4

Security: Add warnings for glab api command. Recommend minimal token scopes (read_api). Move API docs to api-advanced.md with security header.

v1.0.3

Update homepage to public GitHub repo: https://github.com/bezko/openclaw-skills/tree/main/skills/glab

v1.0.2

Add homepage URL for source verification. Repo: https://gitlab.xqqx.xyz/bezko/xicotencatl/-/tree/main/skills/glab

v1.0.1

Add proper credential/env declarations (GITLAB_TOKEN, GITLAB_HOST). Add jq to required bins. Document TIMEOUT/INTERVAL env vars for scripts.

v1.0.0

Initial release. GitLab CLI skill for managing issues, MRs, and CI/CD. Includes utility scripts for pipeline watching and MR awaiting. Inspired by NikiforovAll/glab-skill on Smithery.

Metadata

Slug glab

Version 1.0.4

License —

All-time Installs 2

Active Installs 2

Total Versions 5

Frequently Asked Questions

What is glab?

Manage GitLab projects from the command line: create, review, merge MRs; manage issues; monitor and trigger CI/CD; support self-hosted instances and automation. It is an AI Agent Skill for Claude Code / OpenClaw, with 433 downloads so far.

How do I install glab?

Run "/install glab" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is glab free?

Yes, glab is completely free (open-source). You can download, install and use it at no cost.

Which platforms does glab support?

glab is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created glab?

It is built and maintained by bezkom (@bezkom); the current version is v1.0.4.

More Skills

glab