GitHub CLI
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The command
gh extension install owner/gh-extensionallows the agent to download and execute arbitrary code from untrusted third-party repositories. This is a direct path to remote code execution if the agent is directed to an attacker-controlled extension. - Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection.
- Ingestion points:
gh pr view,gh issue view,gh run view --log, andgh apiingest untrusted content from PR descriptions, comments, and logs. - Boundary markers: None. There are no instructions for the agent to distinguish between its own system instructions and the content being viewed.
- Capability inventory: The skill includes high-privilege write and destructive operations:
gh repo delete,gh pr merge,gh pr review --approve, andgh api(write). - Sanitization: None. External content is processed as raw text.
- Command Execution (MEDIUM): The skill provides commands for destructive actions like
gh repo delete owner/repo. While legitimate for a CLI helper, in the hands of an AI agent, this creates a significant risk of accidental or malicious data loss. - Data Exposure & Exfiltration (MEDIUM): Commands like
gh apiandgh gist create -can be used to programmatically exfiltrate repository data, environment secrets, or local file contents to external gists or API endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata