babysit-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's watcher scripts (notably scripts/gh_pr_watch.py and scripts/gh_deploy_watch.py) call the GitHub CLI / API (e.g., gh_api_list_paginated, comment_endpoints, fetch_review_activity) to ingest issue comments, review comments, reviews, workflow runs and deployment statuses—user-generated, untrusted content that the code parses (extract_review_score, normalize_* functions) and uses to decide actions like processing comments, retrying CI, or marking a PR ready/stop, which could allow indirect prompt-injection via malicious third-party comments or workflow metadata.