pr-operations
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to instructions embedded in the data it processes.
- Ingestion points: Untrusted external data enters the context via
get-pr-review-commentsandget-pr-discussion-commentsinSKILL.md. - Capability inventory: The agent has write capabilities including
resolve-review-thread,reply-to-discussion-comment, andpost-pr-inline-comment. - Boundary markers: There are no specified delimiters or 'ignore' instructions to separate fetched comment content from the agent's system instructions.
- Sanitization: No evidence of sanitization or validation for content retrieved from the GitHub API.
- [Command Execution] (LOW): The skill relies on executing a local CLI tool named
erk. - Evidence: Multiple instances of
erk exec <command>throughout the markdown file. While these are controlled commands, the underlyingerktool's security profile is unknown.
Recommendations
- AI detected serious security threats
Audit Metadata