babysit-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and consumes GitHub PR issue comments, inline review comments, and review submissions via gh api endpoints (see scripts/gh_pr_watch.py fetch_new_review_items using repos/{owner}/{repo}/issues/<pr_number>/comments, pulls/<pr_number>/comments, and pulls/<pr_number>/reviews) and SKILL.md instructs the agent to inspect and act on those surfaced, user-generated review items (patch/commit/push), so untrusted third-party content can directly influence tool use and actions.