The Agent Skills Directory

[PROMPT_INJECTION]: The skill exposes an indirect prompt injection attack surface because it retrieves and processes untrusted content from external pull request comments and CI/CD logs.
Ingestion points: Review threads and issue comments are fetched from GitHub (referenced in references/github-api.md); build logs are fetched from platforms like Buildkite, Vercel, and Fly.io (referenced in references/ci-platforms.md).
Boundary markers: No specific delimiters or boundary markers are used to isolate untrusted comment data from the agent's instructions during interpolation.
Capability inventory: The skill has permissions to execute sensitive operations including git push --force-with-lease, vercel --force deployments, and modifying PR state via GitHub's API.
Sanitization: The skill relies on behavioral logic (classifying bot vs. human content) rather than string-level sanitization to handle external inputs.
[COMMAND_EXECUTION]: The skill frequently executes shell commands through various development tools including git, gh, vercel, flyctl, and bk. It also performs package management operations such as npm install, yarn, or pnpm install when resolving automated lockfile merge conflicts. These operations are consistent with the skill's primary function.
[EXTERNAL_DOWNLOADS]: The skill performs network requests to communicate with well-known and trusted infrastructure, including GitHub, Buildkite, Vercel, and Fly.io. These connections are used for tracking build status and retrieving logs.

pr-babysitter