babysit
Fail
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is instructed to find and execute commands from the project's
package.jsonscripts,Makefile,justfile, or CI configuration to fix lint and test errors. Since the skill processes external Pull Requests, a malicious actor could submit a PR containing harmful commands in these configuration files, which the agent would then execute autonomously. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion points: The skill reads CI failure logs via
gh run view --log-failed(Step 1b). 2. Boundary markers: No delimiters or warnings are used to isolate log content from the agent's logic. 3. Capability inventory: The skill can push to git, re-request reviews, delete cron tasks, and execute arbitrary project scripts. 4. Sanitization: No sanitization or validation of log content is performed before the agent classifies the error and determines the fix. - [COMMAND_EXECUTION]: The skill makes extensive use of the GitHub CLI (
gh) andgitto manage branches, resolve conflicts, and push code. It performs force-pushes and re-requests reviewers autonomously, which could lead to unauthorized code being pushed if the agent is manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata