babysit-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and processes user-generated GitHub content (issue comments, inline review comments, and review submissions) via the gh API endpoints in scripts/gh_pr_watch.py (fetch_new_review_items / gh_api_list_paginated calling repos/{repo}/issues/<pr_number>/comments, repos/{repo}/pulls/<pr_number>/comments, repos/{repo}/pulls/<pr_number>/reviews) and SKILL.md requires the agent to read and act on those comments (patch/commit/push or reply), so untrusted third-party content can directly influence tool use and decisions.