GitHub CLI v2.90.0: Agent Skills Management

TL;DR

• gh skill command now lets you discover, install, and manage AI agent skills from GitHub repos
• Version pinning and content-addressed change detection prevent silent supply chain attacks
• Portable provenance metadata travels with skills via frontmatter
• Breaking: Requires GitHub CLI v2.90.0 or later

New

• gh skill install — Install agent skills from GitHub repos with version pinning, tag targeting, and commit SHA locking for reproducibility
• gh skill search — Discover available skills across repositories
• gh skill publish — Validate skills against the Agent Skills spec and enforce supply chain security (immutable releases, secret scanning, code scanning)
• gh skill update — Check for upstream changes across all installed skills using stored provenance metadata; skip pinned skills automatically
• gh skill preview — Inspect skill content before installation to catch prompt injections or malicious scripts
• Multi-agent support — Works with GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity via --agent flag
• Portable provenance — Installation metadata (repo, ref, tree SHA) written to skill frontmatter so provenance travels with the skill

Security & Supply Chain

• Content-addressed change detection — Compares git tree SHAs, not just version bumps, to detect real changes
• Version pinning — Lock skills to specific tags or commit SHAs; pinned skills skip automatic updates
• Immutable releases — gh skill publish can enforce GitHub's immutable release setting so admins cannot alter published releases
• Manual inspection required — Skills are not verified by GitHub; use gh skill preview before installing to check for hidden instructions or malicious code

Update GitHub CLI: brew upgrade gh (macOS) or winget upgrade GitHub.cli (Windows), or visit the v2.90.0 release page.

Source: GitHub Changelog