recursive-handoff
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill explicitly instructs the agent to verify completion conditions using programmatic methods such as shell commands, grep, and API responses. Evidence found in SKILL.md: 'The condition must be verifiable programmatically (file check, command output, grep result, API response, etc.)'. This pattern grants the agent a wide-ranging capability to execute system-level commands as part of its routine loop logic.
- [PROMPT_INJECTION] (HIGH): The 'Handoff Prompt Template' creates a self-referential instruction stream where the agent generates its own future prompts. This is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Untrusted data enters via the
[CONDITION],[COMMAND OR METHOD TO VERIFY CONDITION], and[TASK]placeholders in the handoff template. - Boundary markers: Absent. The template does not utilize delimiters or specific 'ignore embedded instructions' warnings for the task content.
- Capability inventory: The skill empowers the agent to execute subprocesses (grep/file checks) and potentially perform file-write or network operations as part of the iteration 'Task'.
- Sanitization: None. The skill relies on basic string interpolation, which allows malicious data within a task to rewrite the 'Finish Condition' or hijack the loop to perform unauthorized actions.
- [NO_CODE] (INFO): The skill consists entirely of Markdown instructions and prompt templates without accompanying scripts or binaries. While no malicious code is directly included, the instructional content directs the agent toward high-risk execution behaviors.
Recommendations
- AI detected serious security threats
Audit Metadata