babysit-pr
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple command-line interface tools to manage the PR lifecycle.
- Evidence includes the use of
gitfor branch management (fetch, rebase, push),ghfor GitHub interactions, and platform-specific CLIs such asbk(Buildkite),vercel, andflyctlfor log retrieval and CI/CD operations. - Safety measures are implemented, such as the use of
--force-with-leaseduring git pushes to prevent overwriting remote work. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and acts upon content from potentially untrusted external sources.
- Ingestion points: Reads PR review threads, human and bot comments via GitHub APIs, and diagnostic logs from CI/CD platforms (
references/github-api.md,references/ci-platforms.md). - Boundary markers: The skill does not use explicit boundary markers or XML tags to isolate untrusted data within its prompts, though it does quote original comments in its fix plan document.
- Capability inventory: The skill has broad capabilities including file modification, code commitment, branch pushing, and the execution of subagents to apply fixes.
- Sanitization: No specific sanitization or instruction-filtering logic is documented beyond stripping boilerplate from comment excerpts.
- Mitigation: The risk is lowered by the mandatory 'Phase 3: Plan' step, which requires the user to review and manually approve the fix plan before any modifications are executed.
Audit Metadata