github-comment-body-file-safety

Prevent shell-quoting and command-substitution bugs when posting GitHub issue/PR comments or editing bodies with gh CLI.

5 stars

Best use case

github-comment-body-file-safety is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Prevent shell-quoting and command-substitution bugs when posting GitHub issue/PR comments or editing bodies with gh CLI.

Teams using github-comment-body-file-safety should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/github-comment-body-file-safety/SKILL.md --create-dirs "https://raw.githubusercontent.com/vamseeachanta/workspace-hub/main/.agents/skills/github/github-comment-body-file-safety/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/github-comment-body-file-safety/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How github-comment-body-file-safety Compares

Feature / Agentgithub-comment-body-file-safetyStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Prevent shell-quoting and command-substitution bugs when posting GitHub issue/PR comments or editing bodies with gh CLI.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# GitHub Comment Body-File Safety

## Problem

Inline `gh ... --body "..."` looks convenient, but shell parsing happens before GitHub CLI sees the text.
If the body contains backticks, `$()`, code fences, or other shell-significant characters, the shell can:
- execute unintended commands
- strip or mangle content
- turn file paths into failing shell commands
- post broken comments

This happened in live use when a GitHub comment included markdown code spans like `docs/plans/...` and `tests/...` inline; the shell tried to execute those paths.

## Rule

If the body contains any markdown/code formatting or dynamic content, use `--body-file`.
Do not use inline `--body`.

## Safe pattern

```bash
cat > /tmp/gh-comment.md <<'EOF'
Planning update:

- Draft saved at `docs/plans/2026-04-20-issue-2419-skill-markdown-contract-drift.md`
- Index updated in `docs/plans/README.md`
- Next check: `uv run pytest tests/skills/test_repo_skill_parity_merges.py -q`
EOF

gh issue comment 2419 --body-file /tmp/gh-comment.md
```

Also use the same pattern for:
- `gh pr comment ... --body-file`
- `gh issue edit ... --body-file`
- `gh pr edit ... --body-file`
- `gh issue create ... --body-file`

Important: this is not just a comment/edit problem. `gh issue create --body "..."` is equally vulnerable. In live use, an inline create body containing markdown code spans caused bash to try executing repo paths and run IDs, producing a malformed issue body. The safe recovery was to rewrite the intended issue body to a temp markdown file and run `gh issue edit --body-file ...`.

## When body-file is mandatory

Use `--body-file` if the text includes:
- backticks: `` `...` ``
- command substitutions: `$()`
- fenced code blocks
- file paths or commands copied from plans/tests
- multiline markdown
- text generated from tools/scripts
- any user-provided content you did not fully hand-escape

## Recovery pattern

If an inline comment/body was already posted and looks mangled:
1. write the intended text to a temp markdown file
2. re-post or edit using `--body-file`
3. for malformed new issues created via `gh issue create --body`, immediately repair the issue with `gh issue edit --body-file <file>`
4. verify the rendered GitHub comment/body afterward

## Minimal checklist

Before any `gh ... --body` call, ask:
1. Does this text contain backticks or markdown? If yes, use `--body-file`.
2. Was any part of this text produced dynamically? If yes, use `--body-file`.
3. Do I want exact rendering with zero shell interpretation? If yes, use `--body-file`.

## Bottom line

`--body-file` is the safe default.
Inline `--body` is only for truly simple, shell-safe one-liners.

Related Skills

marine-safety-incidents

5
from vamseeachanta/workspace-hub

Collect, analyze, and report marine safety incident data from 7 global maritime authorities. Use for incident scraping, safety trend analysis, risk assessment, geographic hotspot identification, and marine safety reporting.

tax-filing-session-setup-with-github-tracking

5
from vamseeachanta/workspace-hub

Structured workflow for preparing and tracking a tax filing session using prepared documents, task checklist, and GitHub issue cross-referencing

tax-filing-session-setup-with-github-traceability

5
from vamseeachanta/workspace-hub

Structured workflow for setting up a multi-file tax filing session with GitHub issue tracking and prepared-file validation

nested-git-repo-stash-safety

5
from vamseeachanta/workspace-hub

How to safely stash changes in a parent repo containing dirty nested git repositories

multi-file-tax-reconciliation-workflow

5
from vamseeachanta/workspace-hub

Systematic parallel review and reconciliation of multi-document tax filings with cross-reference validation

multi-file-tax-prep-orchestration

5
from vamseeachanta/workspace-hub

Structured approach to complex multi-file tax return preparation with traceability and planning

github-issue-structure-for-personal-finance-tracking

5
from vamseeachanta/workspace-hub

Pattern for organizing financial analysis work across multiple repos (data/config vs. logic separation)

git-large-file-staging-conflict-recovery

5
from vamseeachanta/workspace-hub

Recover from pre-commit hook blocks on oversized files and corrupted rebase states during bulk repo syncs

freetaxusa-eefile-navigation-pattern

5
from vamseeachanta/workspace-hub

Handling session timeouts and navigating FreeTaxUSA's multi-step e-filing flow to the signature page

interactive-Codex-to-file-based-fallback

5
from vamseeachanta/workspace-hub

Switch from tmux/interactive Codex to file-based Codex -p execution when interactive runs fail with upstream errors or analysis-only stalls, then verify landing from git/GitHub state.

preserved-plan-refile-with-attested-review-wave

5
from vamseeachanta/workspace-hub

Reopen a previously closed GitHub issue with a preserved local plan, rewrite it into a conservative draft, and drive iterative attested adversarial review waves until it is truly approval-ready.

plan-draft-review-artifact-truthfulness-and-issue-body-alignment

5
from vamseeachanta/workspace-hub

Keep plan drafts truthful during adversarial review loops by verifying real provider artifact state on disk and aligning the GitHub issue body to the bounded plan tranche before claiming approval-readiness.