gh-cli-flow
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the ingestion and processing of untrusted data from GitHub pull requests, issues, and review comments, creating a surface for indirect prompt injection.
- Ingestion points: Operations in
SKILL.md(e.g.,gh pr view,gh issue view),references/api-readonly.md(REST API calls for comments), andreferences/pr-comment-workflow.md(GraphQL queries for review threads) retrieve external, attacker-controllable text. - Boundary markers: The instructions do not specify the use of delimiters or boundary markers to isolate retrieved data from the agent's internal instruction set.
- Capability inventory: The skill possesses significant write capabilities, including merging PRs (
gh pr merge), approving reviews (gh pr review --approve), and creating issues/PRs. Additionally,references/line-comments.mdprovides patterns for modifying or deleting review comments viagh api. - Sanitization: No evidence of sanitization, filtering, or validation of the retrieved content is present in the skill's logic.
- [COMMAND_EXECUTION]: The skill relies extensively on executing shell commands via the
gh(GitHub CLI) tool. - Evidence:
SKILL.mdand the reference files provide numerous templates for command execution to manage repositories, CI/CD runs, and workflows. While this is the primary purpose of the skill, it involves high-volume interaction with a local binary tool.
Audit Metadata