handoff-context

[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The skill's stated purpose (capturing context and producing a YAML handoff) is internally consistent with the declared config files, git state capture, and /tmp file usage. However, it mandates executing an unverified shell script discovered in a plugin cache (capture-context.sh), which is a significant supply-chain/local code execution risk: if an attacker can modify plugin files, they can execute arbitrary code at handoff time and access any files the agent has access to (configs, git repo files, etc.). There are no explicit network exfiltration endpoints in the provided text, and no hardcoded secrets or obfuscation, so the package content itself appears non-malicious, but the enforced execution pattern elevates the overall risk. Recommendation: treat this skill as suspicious until the capture-context.sh script's contents and integrity mechanisms (signing, checksum, controlled install source) are reviewed; avoid running the automatic find|bash command and instead implement a safe, auditable mechanism or require explicit user consent and verification of the script before execution. LLM verification: SUSPICIOUS — The feature's high-level purpose (creating a handoff YAML containing context and git state) is benign, but the documentation mandates finding and executing an external capture-context.sh from plugin directories with no integrity checks, sandboxing, or provenance verification. This design grants an attacker with write access to plugin/cache paths the ability to execute arbitrary code with the user's privileges and potentially exfiltrate sensitive files (configs, SSH keys, git metadat