managing-handoffs
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Direct interpolation of file metadata into shell commands. The Close Handoff operation uses yq to read the created field from a file and places it into a git log command string without sanitization.- [COMMAND_EXECUTION]: Use of user-influenced titles in filesystem operations. The Create Handoff and Close Handoff operations use a slug derived from the user-provided title for file paths and git commands, which may permit path traversal if the title contains sequences like ../.- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection via document metadata.
- Ingestion points: YAML frontmatter in /docs/handoffs/ markdown files.
- Boundary markers: None; metadata values are used directly in execution logic.
- Capability inventory: File system access (mv, find), version control (git), and testing framework execution (pytest).
- Sanitization: Limited to replacing spaces and underscores in titles; no escaping for shell metacharacters or path sequences in metadata fields.
Audit Metadata