babysit-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and processes untrusted, user-generated GitHub content (see "Collect PRs Across the Stack" and sections 3b/3c where it uses gh api/graphql to read reviewThreads and gh api to fetch PR/review/issue comments) and requires the agent to read and act on those comments to decide fixes, replies, and pushes—allowing third-party text to influence agent actions.