babysit-pr
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external sources and uses that data to influence its autonomous code-writing and execution behavior.
- Ingestion points: PR review comments via
gh api graphqland CI failure logs viagh run view --log-failed. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present when processing these external strings.
- Capability inventory: The agent has the capability to modify the local filesystem (writing code fixes), execute arbitrary shell commands (during local verification), and push changes to a remote repository (
gt submit). - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from GitHub comments or logs before it is processed by the agent's logic.
- [COMMAND_EXECUTION]: The skill executes local verification commands such as tests, linters, and type-checkers as defined in the project's local documentation (e.g.,
CLAUDE.mdorAGENTS.md). While standard for agentic workflows, this allows the execution of arbitrary shell commands defined within the repository.
Audit Metadata