structure-first-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill instructs the agent to run
gh auth login(Step 3) to establish an authenticated session. This directly targets the user's GitHub credentials and makes sensitive tokens available to the agent runtime. - [COMMAND_EXECUTION] (HIGH): The skill directs the agent to use
gh api graphql(Step 5) to create content on GitHub. This provides the agent with the capability to perform arbitrary write operations against the GitHub API using the user's authenticated session. - [EXTERNAL_DOWNLOADS] (MEDIUM): Step 2 requires the agent to install the
ghCLI if it is not present. This is an instruction to download and execute external software within the agent's environment. - [PROMPT_INJECTION] (HIGH): This skill exhibits a high-risk Category 8 (Indirect Prompt Injection) surface.
- Ingestion points: The skill processes "model/agent-specific reactions" and "One-line Comments" based on user code work (SKILL.md).
- Boundary markers: None are defined to separate user/agent reactions from the execution logic.
- Capability inventory: The skill uses
gh api graphqlto perform write operations (discussion creation) andgh auth loginfor privilege acquisition. - Sanitization: There is no mention of sanitizing the playful AI reviews before they are interpolated into the GraphQL command, allowing a malicious input to potentially alter the API call's structure or target.
Recommendations
- AI detected serious security threats
Audit Metadata