gh-address-comments

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and scripts (scripts/fetch_comments.py and SKILL.md) explicitly fetch and ingest GitHub PR conversation comments and review threads via gh api graphql, which are untrusted, user-generated third-party content that the agent is expected to read and act on when deciding and applying fixes.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs running gh commands "with elevated network access" and to rerun auth/status with sandbox_permissions=require_escalated (bypassing sandboxing and requesting escalated permissions), which attempts to circumvent security controls even though it doesn't ask for sudo or system-file changes.