recover-context
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill possesses a significant attack surface for indirect prompt injection because it is specifically designed to ingest and process untrusted data from external sources.
- Ingestion points: Processes parent session files, markdown files in
WORKLOG/andissues/directories, and arbitrary code files modified in previous sessions (SKILL.md). - Boundary markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions that may be embedded within the recovered context files.
- Capability inventory: The skill uses sub-agent delegation (
session-searcher) and secondary skills (aichat:session-search). The context extracted directly influences the main agent's reasoning and subsequent task execution. - Sanitization: Absent. Content is summarized and presented to the agent without validation, filtering, or escaping of potentially malicious content.
Audit Metadata