Skills
AGENT LAB: SKILLS
skills/trailofbits/skills/using-gh-cli/Gen Agent Trust Hub

using-gh-cli

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill creates a vulnerability surface by processing untrusted data from GitHub while maintaining high-privilege tool access.
  • Ingestion points: Untrusted data enters the context via repository cloning (SKILL.md) and API calls for PR/Issue comments (references/pull-requests.md and references/issues.md).
  • Boundary markers: Absent. There are no instructions to delimit external content or warn the agent against following embedded instructions.
  • Capability inventory: The skill explicitly allows the 'Bash' tool (SKILL.md), providing the agent with command execution capabilities.
  • Sanitization: No sanitization or validation of external content is performed. An attacker could place malicious commands in a README or PR comment that the agent might execute.
  • Command Execution (MEDIUM): The skill's core functionality relies on the 'Bash' tool. While intended for the 'gh' CLI, the availability of a shell in an environment that processes external data significantly increases the risk profile.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 10:38 PM