{ "slug": "gitlab", "tool_id": "npm/@yoda.digital/gitlab-mcp-server", "verdict_url": "/verdict/gitlab", "verdict_content_hash": "sha256:85d450d8555b9c4ba5e8670434b6fea1e2536f6eff2d25dfef6af29471cd9f25", "version": "0.9.1", "commit": "177adc871ef94c39902bcdb8c89200d000e02e64", "dist_shasum": "54f88e5b8831d32bd9faa3257d352619649072ab", "scanned_at": "2026-06-14T00:00:00Z", "capture_self_test": "verified — a beacon decoy was emitted from the tool's network context; its presence in the intercept means a 'no egress' result would have been trustworthy.", "method": "Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). Endpoints, resolved geo/jurisdiction and frequency are observed facts. Capture self-test passed.", "request_count": 32, "captured_requests": [ { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/files/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND?ref=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/files/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "273", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"branch\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"content\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"commit_message\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"previous_path\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects?search=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND&page=1&per_page=20", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/files/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND?ref=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/merge_requests", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "275", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"title\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"description\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"source_branch\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"target_branch\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/fork?namespace=Canary%20canary-e0448706-name-f1093cf0ee99", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "0", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/branches", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "126", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"branch\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"ref\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND?version=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND?version=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/wikis/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/members/all?query=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/members/all?query=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/pipelines?per_page=1&ref=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/branches?search=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND®ex=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/branches/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/compare?from=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND&to=canary-e0448706-email-56354990ed25%40trace.invalid", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/tags", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "258", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"tag_name\":\"Canary canary-e0448706-name-f1093cf0ee99\",\"ref\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"message\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"release_description\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/repository/tree?path=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND&ref=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/releases", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "370", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"tag_name\":\"Canary canary-e0448706-name-f1093cf0ee99\",\"name\":\"Canary canary-e0448706-name-f1093cf0ee99\",\"description\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"ref\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"milestones\":[\"canary-e0448706-email-56354990ed25@trace.invalid\"],\"released_at\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/labels?search=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/labels", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "183", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"name\":\"Canary canary-e0448706-name-f1093cf0ee99\",\"color\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"description\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/milestones", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "267", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"title\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"description\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"due_date\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\",\"start_date\":\"FILE-CONTENT::canary-e0448706-file-18366ed610a5::END\"}", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/protected_branches?search=FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "POST", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/protected_branches", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "content-length": "51", "content-type": "application/json", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "{\"name\":\"Canary canary-e0448706-name-f1093cf0ee99\"}", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND/protected_branches/Canary%20canary-e0448706-name-f1093cf0ee99", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/projects/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/user", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "GET", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true }, { "method": "DELETE", "scheme": "https", "host": "gitlab.com", "path": "/api/v4/groups/FILE-CONTENT%3A%3Acanary-e0448706-file-18366ed610a5%3A%3AEND", "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate, br", "authorization": "Bearer canary-dummy", "user-agent": "node-fetch", "Host": "gitlab.com", "Connection": "keep-alive" }, "body_redacted": "", "blocked": true, "tls_inspected": true } ], "reproduce": { "scanner": "canary-sandbox (open methodology; Docker backend)", "command": "python -m canary.cli scan --backend docker # target: npm @yoda.digital/gitlab-mcp-server@0.9.1", "note": "Re-run it yourself: the scanner installs the pinned version, drives the tool over MCP, and intercepts all egress." }, "note": "Raw captured outbound requests from one sandbox run (identifiers/keys redacted). This is the underlying observation behind the verdict — re-run the scan to verify.", "verification": "verdict_content_hash = sha256 over the canonical verdict JSON; dist_shasum = the npm tarball checksum of the pinned version. Signed artifacts + an append-only immutable log are on the roadmap (toward independent verifiability).", "verdict_signature": "ed25519:i7EhKxMPDXvADiSFWioIZFdKK1lz1qhI4Y7ymbQcTPeFBcbmnqSEQ0pFkVrXa4Uuyv3wfOQcEmJQhJuKU9K5Dw==" }