gh-address-comments

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt explicitly tells the agent to run commands with "elevated network access" and to bypass sandboxing (e.g. "sandbox_permissions=require_escalated") to override runtime restrictions—instructions that attempt to change/override the execution environment and escalate privileges beyond the skill's stated, user-facing purpose, which is a form of prompt injection.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow (SKILL.md) requires running scripts/fetch_comments.py which calls gh api graphql to fetch PR conversation comments, reviews, and review threads from GitHub (user-generated, untrusted third-party content) and then instructs the agent to read, summarize, and act on those comments, so external content can directly influence actions.