handoff
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill instructs the agent to read an external file (
HANDOFF.md) and 'follow its instructions to continue the work.' This establishes a direct vector for indirect prompt injection. - Ingestion points: The skill reads the
HANDOFF.mdfile from the current directory at the start of new sessions. - Boundary markers: None. The instructions do not define delimiters or warn the agent to ignore embedded instructions within the handoff file.
- Capability inventory: The agent likely has file-system access, shell execution, and editing capabilities to perform the requested 'work'.
- Sanitization: No sanitization or validation of the handoff file's content is performed before the agent adopts its instructions as goals.
- [Data Exposure] (SAFE): While the skill encourages identifying sensitive files (configs, tests) for context, it follows best practices by using an example showing
.env.examplerather than sensitive.envfiles. Users should still be cautious about which files are indexed in the handoff document.
Audit Metadata