The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes data from GitHub Actions logs. A malicious pull request could be crafted to produce log output containing instructions that the agent might interpret as authoritative commands during its diagnosis and fixing phase.
Ingestion points: The skill reads logs via gh run view <run-id> --log-failed (SKILL.md) and displays them in the monitoring loop (scripts/monitor.sh).
Boundary markers: No specific delimiters or instructions are used to distinguish log data from agent instructions.
Capability inventory: The agent has the authority to execute git push, gh pr merge, and eas build commands, which could be abused if the agent is misled by injected instructions.
Sanitization: There is no evidence of sanitization or filtering of the ingested log content.
[DATA_EXFILTRATION]: The skill sends the EAS build URL of the mobile preview to a third-party API (api.qrserver.com) to generate a QR code. This exposes the build artifact's location to an external service not directly managed by the user or the primary vendor.
Evidence: QR_URL="https://api.qrserver.com/v1/create-qr-code/?size=250x250&data=${BUILD_URL}" in both SKILL.md and scripts/monitor.sh.
[COMMAND_EXECUTION]: The skill performs automated shell command execution to resolve conflicts and merge PRs. While standard for this workflow, the use of git push --force-with-lease and gh pr merge --auto represents a high-privilege operation that is automatically triggered based on external CI states.
Evidence: Git rebase and push logic in SKILL.md; automated merge logic in scripts/monitor.sh.

babysit-pr