erk-exec
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents how to use the
erk execCLI utility to perform a wide variety of repository management tasks, including landing PRs, initializing implementation contexts, and managing session logs. - [DATA_EXFILTRATION]: The skill includes commands to read data from GitHub APIs, such as fetching PR review comments, discussion threads, and issue bodies (e.g., via
get-pr-review-comments,get-issue-body). It also facilitates pushing preprocessed session logs to remote GitHub branches (push-session,upload-impl-session). These operations are restricted to GitHub, a well-known service, and are essential to the skill's workflow management functionality. - [EXTERNAL_DOWNLOADS]: The skill provides functionality to download session information from external sources, specifically GitHub branches or Gists (via
download-remote-session), to synchronize state between Claude Code sessions. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it ingests untrusted content from GitHub that is subsequently processed by an LLM in workflows like code review and conflict resolution.
- Ingestion points: External data enters the context through commands such as
get-issue-body,get-pr-review-comments,get-pr-discussion-comments, andget-pr-feedback. - Boundary markers: The documentation does not specify the use of delimiters or instructions for the agent to ignore potentially malicious instructions embedded within the retrieved data.
- Capability inventory: The skill provides significant write permissions, including merging code (
land-execute), creating/updating PRs (plan-save,update-pr-description), and posting comments (post-pr-inline-comment). - Sanitization: No validation or sanitization logic for ingested content is described in the skill guide or reference.
Audit Metadata