Skills
skills/dagster-io/erk/pr-feedback-classifier/Gen Agent Trust Hub

pr-feedback-classifier

Pass

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external, untrusted text (PR comments) fetched from a repository. An attacker with comment access to the PR could attempt to influence the agent's behavior during classification.\n
  • Ingestion points: erk exec get-pr-feedback (in SKILL.md) retrieves external comment data into the agent's context.\n
  • Boundary markers: The prompt lacks delimiters (e.g., XML tags or distinct markers) or specific "ignore embedded instructions" warnings for the comment text.\n
  • Capability inventory: The agent can execute git and erk commands, and has access to the PR classification logic.\n
  • Sanitization: No sanitization or validation of the comment content is performed before it is processed by the model.\n- [COMMAND_EXECUTION]: The skill executes git diff and a custom CLI tool erk to retrieve repository metadata and PR feedback. These commands are utilized for their intended purpose of data retrieval within the skill's context.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 8, 2026, 03:05 PM