babysit-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and consumes user-generated GitHub content (issue comments, inline review comments, and review submissions via gh api endpoints such as repos/{owner}/{repo}/issues/<pr_number>/comments and pulls/<pr_number>/comments and inspects run logs with gh run view --log-failed), and the SKILL.md + scripts instruct the agent to read/interpret those items to decide actions (e.g., patch, commit, push, or rerun CI), so untrusted third-party content can materially influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls GitHub API endpoints at runtime (e.g., gh api repos/{owner}/{repo}/issues/<pr_number>/comments and repos/{owner}/{repo}/pulls/<pr_number>/comments/reviews) to fetch review/issue comment bodies which the agent consumes to decide actionable code edits and pushes, so remote content can directly control the agent's instructions.