The Agent Skills Directory

[Data Exposure] (HIGH): The skill explicitly includes commands to access and upload sensitive local files. Specifically, gh ssh-key add ~/.ssh/id_ed25519.pub targets the SSH directory, and gh secret set MY_SECRET < secret.txt encourages the transmission of local secrets to GitHub.
[Indirect Prompt Injection] (HIGH): The skill possesses an extensive attack surface for indirect injection. It ingests untrusted data from external sources and has high-privilege capabilities.
Ingestion Points: gh issue list, gh pr view, gh search, gh api, and particularly gh run view --log (reading CI/CD output).
Boundary Markers: None present. The agent processes raw output from GitHub which may contain malicious instructions embedded by external contributors in PRs or issues.
Capability Inventory: High. The skill can merge PRs (gh pr merge), set repository secrets (gh secret set), and execute arbitrary API calls (gh api).
Sanitization: None. The skill provides no mechanisms to filter or escape instructions found within the data it reads.
[External Downloads / Unverifiable Dependencies] (MEDIUM): The command gh extension install owner/gh-extension allows the installation of third-party extensions from any GitHub repository. These extensions run with the user's permissions and can execute arbitrary code.
[Command Execution] (LOW): The skill is entirely based on executing shell commands. While expected for a CLI wrapper, it provides an agent with the ability to perform significant modifications to a user's GitHub environment.

github