The Agent Skills Directory

Data Exposure & Exfiltration (MEDIUM): The skill instructions include accessing sensitive local files such as SSH public keys and GPG keys. * Evidence: Commands such as gh ssh-key add ~/.ssh/id_rsa.pub and gh gpg-key add key.gpg are documented. * Context: Access to SSH/GPG identity files is a HIGH severity finding for exposure, downgraded to MEDIUM here because it is a core feature of the GitHub CLI's intended purpose.
Command Execution (MEDIUM): The skill documents dangerous shell patterns that pipe external data from an API directly into a shell interpreter. * Evidence: gh pr list ... | xargs -I {} sh -c 'gh pr review {} --approve && gh pr merge {} --squash'. * Risk: Use of sh -c with variables derived from untrusted GitHub metadata (like branch names or tags) can lead to command injection if the input contains shell metacharacters.
Indirect Prompt Injection (LOW): The skill creates a surface where the agent processes untrusted external data which could contain malicious instructions. * Ingestion points: gh pr list, gh issue list, gh run view --log (fetching titles, bodies, and logs from external repos). * Boundary markers: Absent. The skill does not instruct the agent to ignore instructions embedded in the fetched data. * Capability inventory: gh repo delete, gh pr merge, gh pr review, and gh api (destructive and high-privilege actions). * Sanitization: Absent. The data is piped directly into other CLI commands and shell environments.

github-cli