Security risk report for @forgecat/openai_skills_gh-address-comments v0.0.10
Source Integrity
Low
Profile sourced from OpenAI's official skills repository (github.com/openai/skills) with clear attribution and commit hash.
Metadata includes license (Apache-2.0), version, and original repository — supply chain transparency is present.
Agent Intent
INT-000Medium
The skill instructs the agent to run an external script (`scripts/fetch_comments.py`) whose contents are not included or verified, creating a risk of arbitrary code execution if that script is attacker-controlled or tampered with.
Instructions to run `gh auth status` with 'escalated permissions' and `sandbox_permissions=require_escalated` nudge the agent to bypass sandbox restrictions, which is a privilege-escalation pattern beyond normal PR comment handling.
The core workflow (authenticate gh CLI, read PR comments, apply code fixes) is broadly legitimate, but the combination of external script execution and sandbox-bypass language warrants caution.
Details
Evidence
"Run scripts/fetch_comments.py which will print out all the comments and review threads on the PR"
"rerun it with `sandbox_permissions=require_escalated`"
"Run all `gh` commands with elevated network access"
Permissions
PRM-000Medium
The skill requests 'elevated network access' and 'escalated permissions' for gh commands, which is broader than the stated purpose of simply reading and addressing PR comments.
Instructing the agent to include 'workflow/repo scopes' goes beyond minimal read access needed for comment inspection, granting write-level repository authority.
No explicit shell or file-write tools are declared, but the instruction to execute an external Python script implicitly requires shell/subprocess access.
Details
Evidence
"Run all `gh` commands with elevated network access"
"run `gh auth status` with escalated permissions (include workflow/repo scopes)"
"Run scripts/fetch_comments.py"
MCP Risk
Low
No MCP servers are declared in the profile.
No hidden tool descriptions or arbitrary binary execution vectors present.