gh-address-comments
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that explicitly direct the agent to request 'elevated network access' and 'escalated permissions' (sandbox_permissions=require_escalated). This represents an attempt to override standard security constraints and bypass sandboxing. - [COMMAND_EXECUTION]: The skill relies on executing system commands via the
ghCLI. The scriptscripts/fetch_comments.pyusessubprocess.runto interact with GitHub. While the script itself handles arguments safely, the instructions for the agent to 'apply fixes' based on external input introduce a risk of executing unintended commands if those 'fixes' are derived from malicious comments. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection.
- Ingestion points: Data is ingested from GitHub PR comments and review threads via
scripts/fetch_comments.py. - Boundary markers: There are no boundary markers or instructions to treat the fetched comments as untrusted data.
- Capability inventory: The agent is empowered to 'apply fixes' to the current branch, which involves file modifications and potentially command execution.
- Sanitization: The skill lacks any mechanism to sanitize or validate the content of the comments before the agent processes them as instructions.
Recommendations
- AI detected serious security threats
Audit Metadata