handoffs
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It instructs the agent to chronologically analyze conversation history and extract 'Next Steps' and 'Pending Tasks'. If the conversation includes malicious instructions from an untrusted source (e.g., a summarized webpage or a tool output), these can be promoted into the handoff file. Since the handoff file is intended to be the 'ground truth' for the next session, this allows an attacker to control the agent's future behavior.
- Ingestion points: Entire conversation history is analyzed.
- Boundary markers: None. Conversation data is not delimited or treated as untrusted.
- Capability inventory: Ability to create directories and write files to '.claude/handoffs/'.
- Sanitization: None. Data is directly interpolated into a structured markdown template.
- COMMAND_EXECUTION (MEDIUM): The skill requires the agent to perform file system operations, specifically creating directories and writing persistent files to the local environment. While a core feature, this persistence mechanism is the delivery vehicle for injected instructions.
Recommendations
- AI detected serious security threats
Audit Metadata