session-handoff
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The execution script 'session-handoff.cjs' runs a missing internal script 'scripts/spawn-new-session.cjs' via child_process.execFileSync. It also requires an external module 'session-id-manager.cjs' that is not provided in the bundle, rendering its behavior unverifiable.
- [PROMPT_INJECTION]: The 'SKILL.md' metadata includes a 'verified: true' flag. This is an unauthenticated claim about the skill's security status that may mislead users and bypass caution.
- [PROMPT_INJECTION]: The skill constructs a 'resumePrompt' for subsequent agent sessions using controlling language like 'execute ALL tasks' and 'Do NOT stop'. This attempts to override the autonomy and safety protocols of the agent in the next session.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting data from multiple files—including 'active_context.md' and 'learnings.md'—and interpolating them into instructions for the next agent session without sanitization. Evidence Chain: 1. Ingestion points: session-handoff.cjs (active_context.md, tasks.json, decisions.md, issues.md, learnings.md); 2. Boundary markers: Absent; 3. Capability inventory: Shell execution via node in session-handoff.cjs; 4. Sanitization: Absent.
- [DATA_EXFILTRATION]: The skill aggregates sensitive internal project metadata, such as token usage from 'budget-tracker.json' and architectural decisions from 'decisions.md', into a single log file. This centralized collection of context increases the potential impact of information exposure.
Audit Metadata