gh-inbox
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides standard functionality for GitHub account management. It does not contain any obfuscated code, hardcoded credentials, or unauthorized network communications.\n- [COMMAND_EXECUTION]: The bundled script
gh-inbox-report.mjsexecutes the official GitHub CLI (gh). It uses theexecFileSyncmethod with arguments passed as an array, which is a secure implementation that prevents shell command injection.\n- [PROMPT_INJECTION]: While the skill ingests external data (GitHub issue titles and metadata), it explicitly requires the agent to obtain user confirmation before performing any write operations, such as labeling or commenting, which mitigates the risk of unauthorized state changes.
Audit Metadata