Skills
skills/dagster-io/erk/erk-planning/Gen Agent Trust Hub

erk-planning

Pass

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill's operations are confined to managing implementation plans through the 'erk' CLI and the well-known GitHub CLI ('gh'). All command executions and file system interactions (e.g., ~/.claude/plans/) are consistent with the skill's documented purpose of plan management.
  • [PROMPT_INJECTION]: Indirect prompt injection surface analysis:
  • Ingestion points: The skill fetches untrusted data from GitHub PR comments using gh pr view (references/workflow.md).
  • Boundary markers: Specific metadata delimiters (<!-- erk:metadata-block:plan-body -->) are used to isolate plan content and prevent the agent from misinterpreting data as instructions (SKILL.md).
  • Capability inventory: The skill has the ability to execute CLI commands (erk exec) and post comments to GitHub (gh pr comment) (SKILL.md, references/workflow.md).
  • Sanitization: The skill does not explicitly detail sanitization or filtering logic for the fetched GitHub comment content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 13, 2026, 11:48 PM