Skills
skills/gupsammy/claudest/get-pr-comments/Gen Agent Trust Hub

get-pr-comments

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves and summarizes untrusted data from GitHub Pull Request comments and reviews.
  • Ingestion points: scripts/fetch_pr_comments.py fetches comment, review, and inline comment bodies via the GitHub API (gh api).
  • Boundary markers: None. The skill does not use delimiters or specific instructions to the agent to disregard instructions contained within the fetched content.
  • Capability inventory: The skill has access to Bash (for gh, python3, grep), Read, and AskUserQuestion tools.
  • Sanitization: No sanitization or filtering of the fetched content is performed before it is presented to the agent. The instructions explicitly tell the agent to "relay the script output directly".
  • [COMMAND_EXECUTION]: Instructions in SKILL.md (Step 3) contain shell commands with placeholders like <PR_NUMBER>.
  • Example: gh api repos/{owner}/{repo}/issues/<PR_NUMBER>/comments --paginate --slurp.
  • If the agent substitutes these placeholders with unsanitized user-supplied arguments (e.g., 1; rm -rf /), it could lead to arbitrary command execution in the shell.
  • [COMMAND_EXECUTION]: The script scripts/fetch_pr_comments.py executes shell commands via subprocess.run to interact with the GitHub CLI tool.
  • While the script uses list-based arguments which mitigate common shell injection vulnerabilities, it remains a point of interaction with the underlying system environment.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 08:01 AM