Skills
skills/dagster-io/erk/pr-operations/Gen Agent Trust Hub

pr-operations

Pass

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks because it retrieves and acts upon external data from GitHub PR comments.
  • Ingestion points: Comments are fetched via get-pr-review-comments and get-pr-discussion-comments as documented in references/commands.md.
  • Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions that might be embedded within the retrieved PR comments.
  • Capability inventory: The skill allows the agent to execute shell commands via the erk utility, such as resolve-review-thread and post-pr-inline-comment.
  • Sanitization: No sanitization or filtering of the fetched comment content is specified before the agent evaluates it for classification and response generation.
  • [COMMAND_EXECUTION]: The skill uses the erk CLI for pull request management. This tool is treated as a legitimate vendor resource provided by the skill author for its intended purpose.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 8, 2026, 03:21 AM