address-github-comments
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitHub PR comments using
gh pr view --comments. These comments could contain instructions intended to hijack the agent's logic during the categorization or fix application phases. - Ingestion points: Comments are fetched in
SKILL.mdvia theghCLI. - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the comments.
- Capability inventory: The agent is authorized to apply code changes and execute GitHub CLI commands like
gh pr comment. - Sanitization: No sanitization or validation of the comment content is mentioned before it is processed by the AI.
- [COMMAND_EXECUTION]: The skill uses the GitHub CLI (
gh) to perform repository operations. While these are legitimate actions for the skill's stated purpose, they represent the capability surface that could be exploited if an indirect prompt injection attack is successful.
Audit Metadata