gh-cli
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from GitHub via commands like
gh issue vieworgh pr list, creating a surface for indirect prompt injection. - Ingestion points: Commands such as
gh issue view,gh pr view, andgh apifetch user-generated content from external, potentially attacker-controlled repositories. - Boundary markers: There are no instructions or delimiters provided to mitigate the risk of the agent executing commands embedded within fetched issue or PR descriptions.
- Capability inventory: The documented commands provide extensive capabilities, including modifying repository settings, managing secrets, and executing code via extensions.
- Sanitization: No sanitization or validation of external content is described in the documentation.
- [EXTERNAL_DOWNLOADS]: Documents standard installation procedures that fetch GPG keys and repository configurations from the official
cli.github.comdomain. - [COMMAND_EXECUTION]: Includes a complete reference for commands that allow administrative tasks, such as
gh repo delete,gh secret set, and workflow management. - [REMOTE_CODE_EXECUTION]: Describes the
gh extensioncommand group, which allows the installation and execution of third-party CLI extensions. - [CREDENTIALS_UNSAFE]: Lists commands for authentication and credential management, including displaying session tokens via
gh auth tokenand managing SSH/GPG keys.
Audit Metadata