cli-gh
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [DATA_EXFILTRATION] (HIGH): Documentation in references/advanced-features.md and references/troubleshooting.md explicitly references sensitive file paths including ~/.ssh/id_ed25519.pub and secret.txt. Exposure of these paths to an agent is a HIGH severity finding.
- [PROMPT_INJECTION] (HIGH): The examples/issue-triage.sh script is vulnerable to indirect prompt injection (Category 8). [1] Ingestion points: Fetches untrusted issue titles and bodies via gh issue list. [2] Boundary markers: None. [3] Capability inventory: Modifies repository state via gh issue edit and gh api. [4] Sanitization: None; uses simple string matching. This allows attackers to influence agent logic or labeling through malicious issue content.
- [COMMAND_EXECUTION] (MEDIUM): Scripts like examples/release-automation.sh invoke build and test tools (npm, make, pytest) based on local project files. This creates a risk of executing arbitrary code if the repository's build configuration is compromised.
- [CREDENTIALS_UNSAFE] (HIGH): The troubleshooting guide and advanced features list methods for piping tokens and secrets into the CLI (e.g., gh auth login --with-token < token.txt), which encourages unsafe handling of sensitive credentials by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata