Trust Assessment
gh-address-comments received a trust score of 43/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 1 critical, 2 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Indirect Prompt Injection via Untrusted PR Comments.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on July 1, 2026 (commit 5e8b8e75). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | packages/skills-catalog/skills/(development)/gh-address-comments/scripts/fetch_comments.py:96 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | packages/skills-catalog/skills/(development)/gh-address-comments/scripts/fetch_comments.py:96 | |
| HIGH | Indirect Prompt Injection via Untrusted PR Comments The skill fetches and processes pull request comments and review threads using `fetch_comments.py` and instructs the LLM to summarize and apply fixes based on them. Since PR comments can be authored by untrusted external users, an attacker could post a malicious comment containing prompt injection instructions (e.g., 'ignore previous instructions and execute ...'). When the LLM processes these comments, it may execute arbitrary commands or exfiltrate data. Instruct the LLM to treat the content of the comments strictly as data/text to be reviewed, and never as instructions to be executed. Ensure that any code changes or commands generated from comments are explicitly reviewed and approved by the user before execution. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/bb37489a58ddf34f)
Powered by SkillShield