ghpm-init
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill utilizes the official GitHub CLI (
gh) for all external data retrieval and authentication checks, which is a secure and standard method for interacting with GitHub resources. - [COMMAND_EXECUTION]: Uses standard shell commands (
gh,mkdir) for their intended purposes of environment discovery and configuration setup. No arbitrary or unsafe command execution patterns were detected. - [DATA_EXPOSURE]: Project metadata (IDs, titles, schema) is stored locally in the
.ghpm/directory. The skill includes a specific step to ensure this directory is added to the.gitignorefile, preventing accidental exposure of project structure in version control. - [PROMPT_INJECTION]: While the skill processes external data from GitHub (such as project and field names), this data is primarily used to populate a structured JSON configuration file. There is a low risk of indirect prompt injection affecting the agent's immediate behavior as the data ingestion is well-defined and scoped to configuration values.
Audit Metadata