session-management
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The checkpoint.py and handoff.py scripts utilize subprocess.run to execute git commands. Commands are constructed using list-based arguments without shell=True, preventing shell injection.
- [DATA_EXPOSURE] (SAFE): The skill reads from local project configuration files and state files (.session/config.yaml, .sessions/state.json). It does not access sensitive system secrets (e.g., SSH keys) or transmit data over the network.
- [PROMPT_INJECTION] (SAFE): Documentation templates and assets provide structural guidance for project architecture and conventions and do not contain malicious instructions intended to override agent behavior.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill has an injection surface. 1. Ingestion points: Git diffs and commits (checkpoint.py) and user-supplied CLI notes (handoff.py). 2. Boundary markers: Absent in generated markdown reports. 3. Capability inventory: Subprocess git calls (checkpoint.py) and file-write operations (handoff.py). 4. Sanitization: Absent. While typical for reporting tools, this allows untrusted external content (like commit messages) to be interpolated into the agent's context without delimiters.
Audit Metadata