Skills
skills/github/awesome-copilot/copilot-usage-metrics/Gen Agent Trust Hub

copilot-usage-metrics

Pass

Audited by Gen Agent Trust Hub on Feb 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (LOW): The skill invokes the gh CLI via shell scripts using arguments (org name, enterprise slug, and date) provided by the user. While the variables are double-quoted to prevent shell injection, the lack of validation on these inputs allows for potential path manipulation within the GitHub API request.
  • [PROMPT_INJECTION] (LOW): The skill processes external data from the GitHub API, which presents a surface for indirect prompt injection if the API response contains malicious instructions.
  • Ingestion points: GitHub API responses in get-org-metrics.sh, get-org-user-metrics.sh, get-enterprise-metrics.sh, and get-enterprise-user-metrics.sh.
  • Boundary markers: None present to distinguish data from instructions.
  • Capability inventory: Network access and API interaction via the gh CLI.
  • Sanitization: No sanitization or validation of the API response is performed before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 20, 2026, 09:15 AM