fetch-unresolved-comments
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill fetches
comments[].bodyfrom the GitHub GraphQL API, which contains arbitrary text written by any user with access to the PR. - Boundary markers: There are no instructions in
SKILL.mdto wrap the comment data in delimiters or warn the agent to ignore embedded instructions. - Capability inventory: The agent is expected to "Parse the JSON output" and likely use the content to summarize feedback or guide code changes, providing a clear path for an attacker to influence agent behavior.
- Sanitization: No sanitization or filtering of the comment body is mentioned before it is processed by the agent.
- Command Execution (MEDIUM): The skill instructions require the execution of shell commands, including
gh pr viewanduv run python. This introduces a dependency on the local environment and the integrity of the files located at.claude/skills/fetch-unresolved-comments/. - Data Exposure (LOW): The skill accesses the user's GitHub authentication token using
gh auth token. While this is a standard practice for GitHub integration, it involves handling sensitive credentials that could be exfiltrated if combined with other malicious patterns.
Recommendations
- AI detected serious security threats
Audit Metadata