address-github-comments
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection vulnerability surface detected. The skill reads external, untrusted data from GitHub PR/Issue comments using
gh pr view --comments. If a malicious actor provides a comment containing instructions formatted to look like agent commands, the agent might execute them while attempting to 'address' the feedback. - Ingestion points: GitHub PR comments retrieved via the
ghCLI. - Boundary markers: Absent. There are no instructions to the LLM to treat comment content as data only or to ignore embedded instructions.
- Capability inventory: The skill implies file system modification ('Apply the code changes') and command execution via the
ghCLI. - Sanitization: None specified in the workflow.
- [COMMAND_EXECUTION] (SAFE): The skill utilizes the
ghCLI for its primary purpose. These commands (gh auth status,gh pr view,gh pr comment) are standard for the described use case and do not represent a security risk on their own, provided the input parameters (like<PR_NUMBER>) are handled correctly by the agent.
Audit Metadata