gh-inbox
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
gh-inbox-report.mjsexecutes theghCLI tool usingexecFileSyncto fetch issue and PR data. This is the intended purpose of the skill. Argument parsing is implemented to ensure inputs to theghcommand are structured and limited to expected flags like--repo,--owner, and--project. - [DATA_EXFILTRATION]: The skill reads data from GitHub (assigned issues, mentions, PRs) to generate a local report. There are no network operations detected that send this data to external or untrusted third-party domains.
- [PROMPT_INJECTION]: The
SKILL.mdinstructions focus on task prioritization and verification. It includes explicit 'Confirmation Required' sections for any destructive or state-changing actions (like closing issues or merging PRs), reducing the risk of autonomous or malicious actions via the LLM. - [EXTERNAL_DOWNLOADS]: The skill does not perform any external downloads or install third-party packages at runtime. It relies on the pre-installed GitHub CLI (
gh) and the Node.js standard library.
Audit Metadata