handoff
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The path resolution logic in
scripts/handoff.pyis insufficiently constrained. Theresolve_existing_filefunction allows thetargetargument to be an absolute path or contain traversal components (e.g.,../), which the script returns as the authoritative target for the agent to use. This can be exploited to trick the agent into reading from or writing to sensitive system files outside the designatedrepo/progress/handoffs/directory. - [COMMAND_EXECUTION]: The skill executes
gitcommands and internal Python scripts viasubprocess.run. These executions use argument lists and avoidshell=True, which follows safety best practices for local command execution, though the tool remains dependent on the integrity of theproject-rootcontext provided by the agent. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by design. It processes and summarizes repository data that may contain malicious instructions.
- Ingestion points:
scripts/git_changes.pyreads file contents and git diffs from the local repository. - Boundary markers: Handoffs are generated using markdown templates in
references/handoff-template.md, but they do not incorporate explicit instructions for the agent to ignore or isolate instructions found within the summarized data. - Capability inventory: The skill has the capability to execute git commands and facilitate file system writes by the agent.
- Sanitization: There is no evidence of sanitization or escaping of the repository content (e.g., code snippets) before it is included in the handoff artifacts.
Audit Metadata