erk-exec
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The primary function of this skill is to provide instructions and a full reference for executing subcommands of the
erk execCLI tool. These commands facilitate workflows such as PR review management, plan operations, and inter-process communication. - [EXTERNAL_DOWNLOADS]: Several commands involve fetching data from external remote sources:
download-remote-session: Downloads session data from GitHub gists or specific git branches.fetch-sessions: Downloads preprocessed sessions from remoteplanned-pr-contextbranches.- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection because it ingests untrusted data from external sources and provides it to the agent's context.
- Ingestion points: Commands such as
get-pr-review-comments,get-issue-body,get-pr-discussion-comments,get-pr-feedback, andget-review-activity-log(found inreference.md) fetch content directly from GitHub PRs and issues. - Boundary markers: No specific delimiters or warnings to ignore embedded instructions were identified in the command documentation.
- Capability inventory: The skill possesses significant capabilities across its command set, including file system operations (
marker create/delete), network uploads (push-session), and the ability to modify GitHub state (update-issue-body,post-pr-inline-comment,close-pr). - Sanitization: There is no evidence of sanitization, filtering, or validation of the content fetched from GitHub before it is used to inform agent actions.
Audit Metadata