Skills
skills/aaddrick/gh-cli-search/gh-cli-setup/Gen Agent Trust Hub

gh-cli-setup

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): The skill provides the command gh auth status --show-token. If an agent executes this, it will print the user's GitHub authentication token to the output, which could be logged or intercepted by the agent or a monitoring system.
  • [COMMAND_EXECUTION] (HIGH): The installation instructions for Linux involve using sudo to write to system directories (/usr/share/keyrings/, /etc/apt/sources.list.d/) using curl and dd. This allows arbitrary system-level changes based on remote content downloaded at runtime.
  • [COMMAND_EXECUTION] (MEDIUM): The skill suggests modifying user shell profiles (~/.bashrc, ~/.zshrc) to alter the PATH environment variable. While common for manual setup, this is a persistence-adjacent technique that should be monitored for automated agents.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads GPG keys and package lists from cli.github.com. Since this domain is not on the explicit trusted source list provided in the security policy, these downloads are treated as high-risk unverifiable dependencies.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:50 PM