session-handoff
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill directs agents to ingest and execute instructions ('Immediate Next Steps') from external Markdown files in the .claude/handoffs/ directory. This creates a surface where a malicious actor or a previous compromised session could influence the agent's future actions. 1. Ingestion points: Content of handoff documents in .claude/handoffs/ as defined in SKILL.md. 2. Boundary markers: Absent; the agent is instructed to read the file 'completely' without specific delimiters for untrusted content. 3. Capability inventory: The agent has permissions to execute local Python scripts, run Git commands, and read/write project files. 4. Sanitization: Validation scripts (validate_handoff.py) are mentioned to check for secrets and completeness, but they do not verify the safety or intent of the natural language instructions provided in the handoff.
- Command Execution (SAFE): The skill utilizes local Python scripts (e.g., list_handoffs.py) for project state management. These scripts use standard Python libraries (os, pathlib, re) and do not perform arbitrary command execution from untrusted inputs.
Audit Metadata