github-cli
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill documents commands that fetch content from GitHub repositories, which constitutes an indirect prompt injection surface. An agent using these patterns will ingest data from issues, pull requests, and logs that may contain instructions from untrusted external users.
- Ingestion points: Commands such as 'gh issue view', 'gh pr view', and 'gh run view --log' in files like 'references/issues.md' and 'references/actions.md' retrieve potentially attacker-controlled text.
- Boundary markers: The provided command patterns do not include explicit instructions or delimiters to isolate fetched data from the agent's core instructions.
- Capability inventory: The documentation includes high-privilege operations such as 'gh secret set', 'gh repo delete', 'gh workflow run', and 'gh extension install' that could be targeted by successful injection.
- Sanitization: No patterns for data validation or content sanitization are provided within the documentation.
- [EXTERNAL_DOWNLOADS]: The skill neutrally documents the 'gh extension install' command in 'references/repos-auth.md'. This is a standard feature of the GitHub CLI for extending functionality, and the skill provides it as a reference without recommending untrusted sources.
Audit Metadata