moai-core-session-state
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its session-resume and handoff architecture. It ingests data from .moai/sessions/ and handoff_package objects which contain historical context that may include malicious instructions from previous untrusted interactions.\n
- Ingestion points: Session state files in .moai/sessions/ and the handoff_package passed during agent transitions.\n
- Boundary markers: No specific delimiters or safety instructions are defined to separate ingested history from active instructions.\n
- Capability inventory: Access to Bash for command execution and TodoWrite for file system modification.\n
- Sanitization: The implementation lacks sanitization or validation logic for data restored from checkpoints.\n- [COMMAND_EXECUTION]: The skill employs the Bash tool to interface with Model Context Protocol (MCP) servers and execute system checks. The provided logic allows for the dynamic enabling and disabling of MCP servers, which could be leveraged to modify the agent's operating environment or bypass security constraints if manipulated.
Audit Metadata