Skills
NYC
skills/bahayonghang/my-claude-code-settings/gh-address-comments/Gen Agent Trust Hub

gh-address-comments

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for indirect prompt injection via GitHub PR comments.
  • Ingestion points: The scripts/fetch_comments.py script retrieves the body field of comments, reviews, and reviewThreads from the GitHub GraphQL API.
  • Boundary markers: No delimiters or instructions are provided to the agent to treat this fetched content as untrusted data or to ignore embedded instructions.
  • Capability inventory: While the fetching script only reads data, the instructions in SKILL.md command the agent to "Apply fixes for the selected comments." This grants the agent write and potentially execution capabilities on the local filesystem and codebase.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the comment content before it is processed by the agent to generate code changes.
  • Privilege Escalation (LOW): The SKILL.md file explicitly requests sandbox_permissions=require_escalated and "elevated network access" for the gh CLI. While documented as necessary for gh auth status and API calls, this increases the potential impact of other vulnerabilities.
  • Command Execution (LOW): The Python script uses subprocess.run to execute the gh CLI. It uses a list-based argument structure and the GitHub CLI's -F flag for variables, which is a secure practice that prevents traditional shell command injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:35 PM