Skills
skills/neekolas/claude-skills/babysit-pr/Gen Agent Trust Hub

babysit-pr

Pass

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches external, potentially untrusted data from GitHub PR reviews and comments via API calls (gh api and GraphQL). It then instructs the agent to 'Classify and act' on this content.
  • Ingestion points: SKILL.md (Step 3b and 3c) processes comment bodies from reviewThreads, top-level review bodies, and issue comments.
  • Boundary markers: Absent. The instructions do not provide delimiters or specific warnings to the agent to treat the fetched text as untrusted data.
  • Capability inventory: SKILL.md (Step 4) grants the agent the ability to modify local code (gt modify --commit), restack branches (gt restack), and push changes to the remote repository (gt submit --stack).
  • Sanitization: Absent. There is no evidence of content filtering or validation before the comment data is passed to the language model for classification and action.
  • [COMMAND_EXECUTION]: Extensive use of local CLI tools. The skill relies on the Graphite (gt) and GitHub (gh) command-line interfaces to perform its core functions. It executes commands such as gt ls, gt checkout, gt modify, and gt submit in a loop. These high-privilege operations are directly influenced by the data ingested from PR comments, increasing the risk profile of the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 17, 2026, 11:24 PM