gh-address-comments
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (MEDIUM): The skill instructions explicitly direct the agent to run commands with "elevated network access" and "escalated permissions" (specifically
sandbox_permissions=require_escalated). This is a deliberate attempt to bypass or override the agent's security sandbox constraints. - Persistence Mechanisms (MEDIUM): The
PostToolUsehook is configured to append data to~/.claude/gh-address-comments.log. Unauthorized writing to hidden directories in the home folder is a persistence-like behavior used to maintain a footprint on the host system outside the active workspace. - Indirect Prompt Injection (LOW): The skill is designed to fetch and process GitHub PR comments via
scripts/fetch_comments.py. These external, attacker-controllable inputs are then used to guide the agent in "applying fixes," creating a surface for malicious instructions to hijack the agent's task. - Ingestion points: External GitHub PR/Issue comments fetched via
scripts/fetch_comments.py. - Boundary markers: None; the agent is instructed to summarize and act on comments without delimiters or safety warnings.
- Capability inventory: GitHub CLI (
gh) execution and file system modification (to "Apply fixes"). - Sanitization: None; the skill lacks any logic to sanitize or escape the content of the fetched comments before processing.
Audit Metadata