github-address-comments
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/fetch_review_threads.pyexecutes the GitHub CLI (gh) viasubprocess.runto retrieve repository metadata and pull request details. It correctly uses a list for command arguments, which prevents shell injection. - [PROMPT_INJECTION]: The skill ingests untrusted data from GitHub pull request comments, creating an indirect prompt injection surface where a malicious comment could potentially influence agent behavior.
- Ingestion points: Pull request comments and review threads are fetched using the GitHub GraphQL API in
scripts/fetch_review_threads.py. - Boundary markers: There are no explicit delimiters or instructions to treat the fetched comment text as untrusted content within the skill's workflow.
- Capability inventory: The skill has the capability to run local scripts, use the GitHub CLI, and is intended to guide the agent in performing code implementation tasks.
- Sanitization: The fetched comment bodies are processed as raw strings without any filtering or sanitization of potential instructions.
Audit Metadata