Skills
skills/jackchuka/skills/gh-oss-go-bump/Gen Agent Trust Hub

gh-oss-go-bump

Pass

Audited by Gen Agent Trust Hub on Apr 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes several shell commands to manage the Go environment and GitHub repositories, including gh CLI commands for repository listing, PR management, and merging, as well as go toolchain commands like go mod tidy and go test for local verification.
  • [EXTERNAL_DOWNLOADS]: To perform updates, the skill clones external repositories to the /tmp directory and requires the installation of the gh oss-watch extension.
  • [REMOTE_CODE_EXECUTION]: The workflow involves running go test ./... on cloned repositories. While this is standard for Go development, it technically executes code from the target repositories on the local system.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes external, untrusted data including go.mod files, GitHub PR and Issue lists, and web search results.
  • Ingestion points: SKILL.md (Step 2: go.mod content, CI workflows, PR/Issue lists; Step 1: web search results).
  • Boundary markers: Absent; the instructions do not specify delimiters or instructions to ignore embedded commands when reading external files.
  • Capability inventory: SKILL.md (Step 3: go mod tidy, go test; Step 4: gh pr create; Step 5: gh pr merge).
  • Sanitization: Absent; the skill does not explicitly validate or sanitize the content of the files it reads before processing or interpolating them.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 15, 2026, 02:44 AM
Security Audit — agent-trust-hub — gh-oss-go-bump