checkpoint-persistence
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing multiple
gh(GitHub CLI) commands (edit,comment,view,list) to synchronize state with remote repositories. While it correctly uses--body-fileto mitigate some command-line injection risks, it still involves executing shell commands based on internal agent state. - [DATA_EXFILTRATION]: The skill is designed to automatically transmit sensitive local data to GitHub, including verbatim conversation history (
Last Turn), full response snapshots (Last Reply), and local markdown log contents (Plan Snapshot). If the targeted repository is public, this leads to significant information disclosure of the agent's internal workings and user interactions. - [PROMPT_INJECTION]: The
resumefunctionality introduces an indirect prompt injection surface. - Ingestion points: Data is ingested via
gh issue view --comments(referenced inSKILL.md). - Boundary markers: The instructions do not specify any delimiters or safety filters to isolate the recovered state from the rest of the conversation.
- Capability inventory: The agent's subsequent actions are directly influenced by the
Next,Goal, andStatusfields recovered from these external comments. - Sanitization: There is no evidence of validation or sanitization of the comment content before it is used to restore the agent's operational context.
Audit Metadata