gh-cli
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of shell commands and piping, including the use of
jq,base64, anddiff. It also documentsgh alias set --shell, which allows users to define shell expressions that are evaluated through the sh interpreter when the alias is invoked. - [REMOTE_CODE_EXECUTION]: Documentation for
gh extension installis provided, which allows the installation of third-party CLI extensions that execute locally. The skill also describesgh workflow runfor triggering GitHub Actions workflows. - [DATA_EXFILTRATION]: The skill contains commands to fetch and decode remote file content using the GitHub API (
gh api ... contents) and to display authentication tokens (gh auth tokenorgh auth status --show-token), which could lead to sensitive data exposure if used on untrusted resources. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from remote repositories.
- Ingestion points: File contents, directory listings, and repository metadata are fetched via
gh apiinSKILL.mdandreferences/remote-analysis.md. - Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the fetched repository content.
- Capability inventory: The skill has broad capabilities, including shell command execution, network requests via the GitHub CLI, and the ability to install and run external extensions.
- Sanitization: No sanitization, escaping, or validation of the retrieved repository content is performed before processing.
Audit Metadata