pr-babysit
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves PR comments and CI logs from external sources (reviewers and CI bots) and uses this untrusted content to drive its autonomous decision-making process. A malicious contributor could post a comment disguised as 'Valid' feedback containing instructions to manipulate the agent's behavior, such as committing malicious code or deleting files.
- Ingestion points: PR metadata, review comments, and CI logs are fetched via
gh apiandgh pr checksinSKILL.md(Step 1). - Boundary markers: There are no explicit delimiters or system instructions to the agent to treat these external inputs as untrusted or to ignore embedded instructions.
- Capability inventory: The agent has the capability to modify local source code, execute
git push, post comments, and create issues viaghandglabCLIs. - Sanitization: The workflow does not include any validation or escaping of the comment content before it influences code generation or command logic.
- [COMMAND_EXECUTION]: The skill relies on shell-based tools (
git,gh,glab) to perform its operations. While these tools are used for their intended purpose, their execution and the arguments passed to them are influenced by data from untrusted external sources (PR comments and CI outputs), creating a risk of command injection if the agent is misled by malicious input.
Audit Metadata