address-github-comments
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected. 1. Ingestion point: The skill reads untrusted data from GitHub PR comments using the 'gh pr view --comments' command in SKILL.md. 2. Boundary markers: There are no explicit delimiters or instructions telling the agent to treat the PR comment content as data rather than instructions. 3. Capability inventory: The agent is permitted to execute shell commands via 'gh' and perform file system modifications to 'Apply fixes'. 4. Sanitization: No sanitization or filtering is performed on the ingested comments. This risk is partially mitigated by the requirement to 'Wait for user confirmation' before taking action on the comments.
Audit Metadata