gh-address-comments

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes explicit instructions to run gh with "elevated network access" and to rerun with sandbox_permissions=require_escalated, which are hidden/privilege-escalation directives outside the stated PR-comment-handling purpose and constitute a prompt injection.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches user-generated PR comments and review threads from GitHub using scripts/fetch_comments.py (via "gh api graphql") as described in SKILL.md/README, and those external comments are parsed, presented to the agent, and directly drive task creation, code changes, commits, and resolution actions—so untrusted third-party content can influence behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running gh commands with "elevated network access" and to "rerun with sandbox_permissions=require_escalated" (i.e. bypass sandboxing / escalate permissions), which requests circumventing security controls even though it doesn't ask for sudo or user creation.