babysit-pr
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests PR comments to automate code changes. Ingestion points: PR issue comments and review comments are fetched from GitHub via the scripts/gh_pr_watch.py script. Boundary markers: The skill does not use explicit delimiters to wrap the untrusted comment content when presenting it to the agent, although the agent is instructed to verify the correctness of requested changes. Capability inventory: The agent has the capability to modify local files, commit, and push to remote branches, as well as trigger CI reruns. Sanitization: The skill implements author-based filtering in scripts/gh_pr_watch.py, only surfacing feedback from repo Owners, Members, Collaborators, or specified trusted bots.
- [COMMAND_EXECUTION]: The skill executes the GitHub CLI (gh) and a local Python script to perform its tasks. Commands are constructed using lists to prevent shell injection, and the operations performed (viewing PRs, rerunning CI, and commenting) are within the expected scope of the skill's functionality.
Audit Metadata