openai-gh-address-comments
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. 1. Ingestion points: The
scripts/fetch_comments.pyscript retrieves untrustedbodycontent from GitHub PR comments and review threads. 2. Boundary markers:SKILL.mdcontains no delimiters or instructions to ignore embedded commands within the fetched data. 3. Capability inventory: The agent is granted theBashtool and is explicitly instructed to 'Apply fixes' for comments, which enables it to perform file system and shell operations based on attacker-controlled text. 4. Sanitization: There is no process for validating or sanitizing the data before it is processed. - COMMAND_EXECUTION (LOW): The skill utilizes
subprocess.runto call the GitHub CLI. While the script uses list-based arguments to prevent shell injection into theghcommand itself, the overall workflow permits the agent to execute actions driven by untrusted external content.
Recommendations
- AI detected serious security threats
Audit Metadata