babysit-pr
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/gh_pr_watch.py invokes the gh CLI using subprocess.run with a list of strings for command and arguments. This is a secure implementation that avoids shell injection vulnerabilities.- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it fetches and processes external data from GitHub PR comments and reviews to drive automated code edits. A malicious contributor could embed instructions in a comment to influence the agent's behavior.
- Ingestion points: GitHub issue comments and PR review comments are fetched via gh api in scripts/gh_pr_watch.py.
- Boundary markers: The data is processed as structured JSON, but the prompt instructions lack explicit delimiters or warnings for the agent to ignore instructions embedded within the fetched text.
- Capability inventory: The agent has the capability to edit files, commit changes, push to remote branches, and execute local scripts.
- Sanitization: The script performs an author association check (restricting input to OWNER, MEMBER, and COLLABORATOR), but does not sanitize or filter the content of the comments themselves.
Audit Metadata