session-handoff
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill instructions in
SKILL.mdguide the agent to execute a shell command:echo "PROMPT_CONTENT" | pbcopy. BecausePROMPT_CONTENTis dynamically generated from arbitrary conversation history, the lack of sanitization or escaping allows for shell command injection. An adversary could provide input that breaks out of the echo command (e.g., using backticks or semicolons) to execute arbitrary code. - [DATA_EXFILTRATION] (LOW): The skill transfers conversation context, including code snippets and potentially sensitive error logs, to the system's global clipboard. While this is the intended feature, it exposes session data to any other application on the host machine with clipboard access.
- [PROMPT_INJECTION] (LOW): The skill creates an indirect injection surface by processing untrusted data and using it in a high-capability context. 1. Ingestion points: The skill analyzes conversation history, file paths, and error traces as defined in Step 1 of
SKILL.md. 2. Boundary markers: No delimiters or ignore-instruction warnings are specified to isolate the content within the shell command. 3. Capability inventory: The skill utilizes shell command execution. 4. Sanitization: No instructions or logic are provided to escape or validate untrusted input before it is interpolated into the shell command template.
Audit Metadata