Skills
skills/cuba6112/skillfactory/gh-address-comments/Gen Agent Trust Hub

gh-address-comments

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill fetches content from GitHub PR comments and reviews, which are attacker-controllable sources.\n
  • Ingestion points: scripts/fetch_comments.py (lines 51, 65, 85) extracts the body field of comments and review threads via the GraphQL API.\n
  • Boundary markers: Absent. No delimiters or specific instructions are provided to the agent to ignore instructions embedded within the fetched text.\n
  • Capability inventory: The skill is instructed to 'Apply fixes' based on the comments, which grants the agent the ability to modify the filesystem and execute build/test commands.\n
  • Sanitization: Absent. The external data is used directly for reasoning and task execution.\n- Privilege Escalation (HIGH): SKILL.md explicitly requests sandbox_permissions=require_escalated and 'elevated network access' to run gh CLI commands, bypassing standard security restrictions.\n- Command Execution (MEDIUM): scripts/fetch_comments.py uses subprocess.run to execute commands on the host system. While the commands themselves are largely static, the high-privilege context and exposure to untrusted input create a significant attack surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:47 PM