Skills
skills/paulrberg/dot-agents/cli-gh/Gen Agent Trust Hub

cli-gh

Fail

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Several example scripts included in the skill are vulnerable to command injection through unvetted shell interpolation. In workflow-monitor.sh, the send_notification function interpolates the $message and $title variables (sourced from GitHub workflow names) directly into an osascript command string without escaping. An attacker could craft a malicious workflow name to execute arbitrary AppleScript code on the user's machine. Similarly, release-automation.sh interpolates the $VERSION_NUM variable into a jq filter string executed via the shell, which could allow command breakout if the version string contains special characters.
  • [CREDENTIALS_UNSAFE]: The skill includes extensive guides and script patterns for managing highly sensitive authentication data, including GitHub Secrets (gh secret), SSH keys (gh ssh-key), and GPG keys (gh gpg-key). This gives the agent the capability to read or modify secrets used for production environments and authentication.
  • [EXTERNAL_DOWNLOADS]: The documentation encourages and demonstrates the installation of third-party extensions via gh extension install. This allows the download and execution of arbitrary external code from GitHub repositories, which may not be vetted for security.
  • [PROMPT_INJECTION]: The issue-triage.sh script facilitates indirect prompt injection by processing untrusted issue titles and bodies from GitHub to perform automated management tasks. This creates an attack surface where malicious content in a repository could influence the agent's actions.
  • Ingestion points: issue-triage.sh (line 53) and automation-workflows.md (line 86) fetch untrusted content using gh issue list and gh pr diff.
  • Boundary markers: None identified; the scripts process raw issue and PR data without delimiters or guardrails.
  • Capability inventory: The skill can edit issues, labels, and assignees via gh issue edit, and make arbitrary API calls via gh api.
  • Sanitization: The scripts use basic keyword filtering via grep and jq parsing but do not sanitize or validate the content against instructional bypass attempts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 1, 2026, 01:33 AM