gh-address-comments
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
scripts/fetch_comments.pyfile executes the GitHub CLI (gh) via the Pythonsubprocessmodule to retrieve pull request information and authentication status. The instructions inSKILL.mdalso explicitly prompt for escalated sandbox permissions (sandbox_permissions=require_escalated) to ensureghCLI commands succeed, which bypasses default security constraints. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from GitHub PR comments.
- Ingestion points: External data enters the agent context through
scripts/fetch_comments.py, which fetches bodies of comments, reviews, and review threads via the GitHub GraphQL API. - Boundary markers: The instructions lack explicit delimiters (e.g., XML tags or triple quotes) to separate untrusted comment content from system instructions.
- Capability inventory: The agent is empowered to 'Apply fixes,' which involves modifying the local file system and potentially committing changes.
- Sanitization: There is no evidence of sanitization or filtering applied to the retrieved comment text before it is presented to the agent for action.
Audit Metadata