bbot's gitlab.py sends the user's "gitlab" API key to on-premise GitLab instances.
If a user has configured a gitlab.com API key using this mechanism, it may be leaked to an attacker-controlled server.
A user with a "gitlab" API key configured who uses bbot to scan a malicious webserver may leak their gitlab.com API key to an untrustworthy server.