Skills
skills/pc-style/pc-skills/address-gh-comments/Gen Agent Trust Hub

address-gh-comments

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The instructions explicitly direct the agent to bypass security sandboxing and safety constraints.
  • Evidence: In gh-address-comments/SKILL.md, the instructions tell the agent to "Run all gh commands with elevated network access" and to use sandbox_permissions=require_escalated if sandboxing blocks the GitHub CLI operations.
  • [COMMAND_EXECUTION]: The skill executes external system commands using the GitHub CLI tool.
  • Evidence: The script gh-address-comments/scripts/fetch_comments.py uses the subprocess module to run commands like gh auth status, gh pr view, and gh api graphql.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from GitHub PR comments to drive code changes.
  • Ingestion points: gh-address-comments/scripts/fetch_comments.py extracts the body field from PR comments, reviews, and threads.
  • Boundary markers: Absent. The agent is not instructed to use delimiters or to disregard instructions contained within the fetched comments.
  • Capability inventory: The skill can execute CLI commands via gh and is tasked with modifying source code to "Apply fixes" for the comments.
  • Sanitization: Absent. The agent is directed to apply fixes based directly on the raw text of the fetched comments.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 07:17 AM