gh-address-comments
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it fetches untrusted content from GitHub review threads.\n
- Ingestion points:
scripts/fetch_comments.pyretrieves comments and thread data from the GitHub GraphQL API.\n - Boundary markers: No specific delimiters or instructions are used to isolate the untrusted comment content from the agent's internal logic.\n
- Capability inventory: The agent has permissions to edit and write files and execute local scripts, which could be exploited if malicious instructions embedded in a review comment are followed.\n
- Sanitization: The skill does not perform sanitization or filtering on the comment text before processing.\n- [COMMAND_EXECUTION]: The skill uses the
ghtool via thesubprocessmodule to interact with GitHub. Arguments are passed as lists to prevent shell injection vulnerabilities, following secure coding practices.\n- [EXTERNAL_DOWNLOADS]: Pull request data and metadata are retrieved from GitHub's official API. As GitHub is a well-known and trusted service, this behavior is documented as a necessary and safe operation for the skill's primary function.
Audit Metadata