gh-cli
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): In 'references/advanced-features.md', the skill promotes the use of 'gh extension install', which allows for the installation and execution of arbitrary code from third-party GitHub repositories without verification.
- CREDENTIALS_UNSAFE (MEDIUM): The skill provides instructions and examples for managing high-value secrets, including GitHub Actions secrets ('gh secret set') and private SSH/GPG keys ('gh ssh-key add', 'gh gpg-key add'). Improper use by an agent could lead to credential exposure or unauthorized access.
- COMMAND_EXECUTION (MEDIUM): The script 'examples/workflow-monitor.sh' utilizes 'osascript' to trigger system notifications. This capability, while used for notifications here, represents a vector for executing arbitrary AppleScript commands on the host system.
- PROMPT_INJECTION (LOW): (Category 8: Indirect Prompt Injection surface) The skill frequently processes untrusted content from GitHub. 1. Ingestion points: 'examples/issue-triage.sh' (issue titles and bodies), 'examples/workflow-monitor.sh' (workflow names and titles), and 'examples/release-automation.sh' (git commit messages). 2. Boundary markers: Absent; data is processed as raw strings. 3. Capability inventory: Extensive gh CLI access, git operations, file system modifications (via 'sed' and 'jq'), and API interactions. 4. Sanitization: Absent; content is passed directly to shell commands like 'echo', 'grep', and 'jq'.
Audit Metadata