babysit-pr
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the 'gh' (GitHub CLI) and 'git' command-line tools to interact with repository data, monitor CI checks, and handle PR updates. These actions are aligned with the skill's operational goals and use subprocess calls without shell invocation.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes content from pull request comments and reviews. An attacker with repository access could potentially craft feedback to manipulate the agent's logic.
- Ingestion points: Pull request comments, reviews, and inline feedback retrieved via 'gh api' in 'scripts/gh_pr_watch.py'.
- Boundary markers: No explicit delimiters are used in the prompt instructions to separate untrusted comment content from system instructions.
- Capability inventory: The skill can execute shell commands via 'gh' and 'git' and modify pull request states as defined in 'SKILL.md'.
- Sanitization: The skill implements a safety check in 'scripts/gh_pr_watch.py' that filters feedback based on 'author_association', only acting on comments from owners, members, and collaborators.
Audit Metadata