Skills
skills/openai/plugins/gh-address-comments/Gen Agent Trust Hub

gh-address-comments

Pass

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection: The skill is designed to read and act upon GitHub pull request comments and review feedback. This creates a surface for indirect prompt injection, where an external actor could place instructions within a GitHub comment attempting to influence the agent's actions (e.g., trying to redirect file modifications or bypass logic).
  • Ingestion points: The scripts/fetch_comments.py script retrieves data from GitHub's GraphQL API, including comments, reviews, and reviewThreads.
  • Boundary markers: The instructions in SKILL.md do not define specific markers or delimiters to separate the ingested comment text from the agent's core instructions.
  • Capability inventory: The skill possesses the capability to modify local files to "implement the selected fixes locally," making the impact of a successful injection potentially relevant to the local codebase.
  • Sanitization: No explicit sanitization or filtering of the fetched comment content is performed before the agent processes it.
  • Command Execution: The skill wraps the GitHub CLI (gh) to perform its operations, using the Python subprocess module to execute commands.
  • Context: In scripts/fetch_comments.py, the _run function executes commands passed as a list. This is a standard and relatively secure way to interact with system tools, provided the input parameters (like repository names or PR numbers) are handled correctly.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 28, 2026, 06:21 PM