gh-address-comments
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/fetch_comments.pyexecutes system commands usingsubprocess.runto interact with the GitHub CLI (gh auth status,gh pr view, andgh api graphql). While this is the intended functionality, it grants the agent the ability to execute arbitrary CLI tools if not properly restricted. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions for the agent to bypass security constraints if encountered. Specifically, it tells the agent to rerun commands withsandbox_permissions=require_escalatedand request high-privilege GitHub scopes (workflow/repo) if sandboxing blocks its initial attempts. - [INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and acts upon content from external GitHub PR comments.
- Ingestion points: PR comment and review thread bodies are fetched via
scripts/fetch_comments.pyand provided to the agent context. - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore potential commands embedded in the comments.
- Capability inventory: The agent is tasked with "Applying fixes" based on these comments, which involves file system writes and potentially further command execution.
- Sanitization: None. The fetched comment text is processed as raw input for the agent's next actions.
Audit Metadata