gh-address-comments
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection as it processes untrusted external content and uses it to perform write operations. An attacker could embed instructions in a PR comment to hijack the agent's behavior.
- Ingestion points: scripts/fetch_comments.py fetches conversation comments, reviews, and inline threads from GitHub via GraphQL.
- Boundary markers: None present. The agent processes raw comment text without delimiters or instructions to ignore embedded commands.
- Capability inventory: SKILL.md Step 3 ('Apply fixes') provides the agent with the authority to modify the codebase. The script fetch_comments.py uses subprocess.run to interact with the system.
- Sanitization: No sanitization or validation of the fetched comment body is performed before the agent acts on it.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly instructs the agent to bypass security constraints by requesting 'elevated network access' and escalated permissions ('sandbox_permissions=require_escalated') for the GitHub CLI.
- [COMMAND_EXECUTION] (MEDIUM): scripts/fetch_comments.py utilizes subprocess.run to execute shell commands. This increases the attack surface, particularly when combined with the instructions to 'Apply fixes' based on untrusted input.
Recommendations
- AI detected serious security threats
Audit Metadata