The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to read and interpret handoff files (.claude/handoffs/*.md) to restore session context, creating a surface for indirect instructions to influence agent behavior.
Ingestion points: SKILL.md (RESUME Workflow, Step 3) explicitly instructs the agent to "Read the relevant handoff document completely before taking any action." Additionally, scripts/list_handoffs.py reads file content to extract titles and status.
Boundary markers: No explicit boundary markers or "ignore embedded instructions" warnings are present in the workflows or scripts when processing the handoff content.
Capability inventory: The agent has the capability to execute local Python scripts (create_handoff.py, validate_handoff.py, etc.) and perform file system operations based on the instructions found within these handoffs.
Sanitization: While a validate_handoff.py script is referenced to check for secrets and completeness, there is no evidence of sanitization for natural language instructions that might attempt to override system prompts.
Command Execution (SAFE): The skill invokes local Python scripts located in the scripts/ directory. Analysis of the provided list_handoffs.py shows it uses standard libraries (pathlib, re, os) to perform file listing and metadata extraction without any unsafe shell execution or dynamic command assembly.
Data Exposure (SAFE): The skill accesses files within a specific hidden directory (.claude/handoffs/) for its intended purpose. It does not attempt to access sensitive system paths like SSH keys or cloud credentials.

session-handoff