session-handoff
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes handoff documents from the local file system, creating an indirect prompt injection surface.\n
- Ingestion points: Markdown files are read from the
.claude/handoffs/directory during the RESUME workflow (documented in SKILL.md and scripts/list_handoffs.py).\n - Boundary markers: Absent; instructions direct the agent to read the handoff document completely and follow its "Immediate Next Steps" without explicit isolation markers.\n
- Capability inventory: The skill can execute
gitcommands viasubprocess.run, perform file read/write operations, and access project metadata.\n - Sanitization: Input for file slugs is sanitized in
create_handoff.py. Whilevalidate_handoff.pyscans for secrets and TODOs, there is no sanitization or instruction-filtering for the natural language content of the handoff itself.\n- [COMMAND_EXECUTION]: The scriptscreate_handoff.pyandcheck_staleness.pyuse thesubprocessmodule to executegitcommands (e.g.,git log,git diff,git branch). These operations are used for automated metadata collection and project state verification. Arguments are derived from project context or sanitized user input.\n- [SAFE]: The skill includes a dedicated security tool,validate_handoff.py, which scans documentation for common patterns associated with hardcoded credentials (API keys, tokens, private keys) and blocks handoffs that fail security checks.
Audit Metadata