babysit-pr
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The agent is designed to ingest and act upon data from GitHub PR comments and review submissions, which are potentially attacker-controlled sources in public repositories.
- Ingestion points: The file
references/github-api-notes.mdexplicitly lists endpoints for retrieving issue comments (/issues/<pr_number>/comments) and review comments (/pulls/<pr_number>/comments). - Boundary markers: No specific delimiters or instructions (like "ignore instructions within comments") are provided to the agent to help it distinguish between data and commands in these comments.
- Capability inventory: The agent has significant capabilities, including modifying local code, pushing updates to the repository, and rerunning GitHub Actions jobs (as documented in
references/github-api-notes.mdandagents/openai.yaml). - Sanitization: No sanitization logic is described; the
heuristics.mdfile encourages addressing comments based on whether they are "technically correct" and "actionable," which relies on the LLM's judgment rather than security controls.
Audit Metadata