gh-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes explicit token-like examples (e.g., export GH_TOKEN=ghp_xxxxxxxxxxxx) and commands that print or embed tokens (gh auth token, gh auth status --show-token, gh auth login --with-token), which encourages handling secrets that could be output verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documents gh commands that fetch and display arbitrary public GitHub content—e.g., issue comments via "gh issue view --comments", PRs via "gh pr view", gists via "gh gist view", repository files via "gh repo clone" or "gh browse", and arbitrary endpoints via "gh api"—which are untrusted, user-generated third‑party sources that the agent is expected to read and parse.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly includes installation steps that invoke sudo to write to /usr/share and /etc/apt (adding keyrings and apt sources) and to run apt install, which directs modifying system files and requiring elevated privileges, so it encourages actions that can change the machine state.