gh-address-comments
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/fetch_comments.py interacts with the GitHub CLI (gh) via the subprocess module to fetch repository and pull request data.
- [COMMAND_EXECUTION]: The SKILL.md instructions direct the agent to request elevated network access and bypass standard sandbox restrictions by using the require_escalated permission flag, which increases the potential impact of malicious actions.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted PR comments and follows them as instructions to apply code fixes. 1. Ingestion points: The GitHub GraphQL API retrieves comments, reviews, and threads via scripts/fetch_comments.py. 2. Boundary markers: No delimiters or ignore-instructions warnings are provided to separate fetched content from system instructions. 3. Capability inventory: The agent is authorized to modify files and execute CLI commands with escalated permissions. 4. Sanitization: There is no validation or filtering of comment text before the agent processes it to identify and apply code changes.
Recommendations
- AI detected serious security threats
Audit Metadata