github
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (MEDIUM): The skill is susceptible to Indirect Prompt Injection because it processes untrusted content from GitHub that could influence agent behavior.\n
- Ingestion points: Untrusted data is ingested via
gh issue list,gh pr checks,gh run view, andgh apicommands, which fetch metadata and text from external repositories.\n - Boundary markers: The skill lacks explicit delimiters or specific instructions for the agent to treat fetched content as untrusted data rather than instructions.\n
- Capability inventory: According to the skill description, the agent has access to
gh issueandgh pr, which can be used to modify repository states, post comments, or merge code, presenting a significant capability tier.\n - Sanitization: No sanitization or filtering is performed on the output of the CLI commands before it enters the agent's context.\n- [Command Execution] (LOW): The skill is designed to execute the
ghbinary. While this is the intended functionality of the CLI wrapper, it necessitates local command execution permissions.
Audit Metadata