gh-address-comments
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/fetch_comments.pyusessubprocess.runto execute GitHub CLI (gh) commands. The skill instructions inSKILL.mdexplicitly request "elevated network access" and "escalated permissions" (specificallysandbox_permissions=require_escalated) to perform authentication and status checks, which grants the agent higher-than-normal privileges within its environment. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection by fetching and acting upon untrusted data from an external source (GitHub).
- Ingestion points:
scripts/fetch_comments.pyretrieves thebodyof PR comments, reviews, and review threads via the GitHub GraphQL API. - Boundary markers: The skill lacks delimiters or specific instructions to the agent to disregard potential commands or instructions embedded within the fetched comment text.
- Capability inventory: The
SKILL.mdinstructions explicitly direct the agent to "Apply fixes for the selected comments" (Step 3), which involves modifying the local file system and potentially executing additional commands based on the content of those external comments. - Sanitization: There is no evidence of sanitization, filtering, or validation of the fetched comment content before it is processed as a set of instructions for the agent.
Audit Metadata