Skills
skills/steveyegge/beads/handoff/Gen Agent Trust Hub

handoff

Fail

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill's implementation logic for handling user messages is inherently unsafe. It directs the agent to execute a bash command using direct interpolation: gt mail send <your-address> -s "HANDOFF: Session cycling" -m "<message>". This pattern is a classic shell injection vulnerability. An attacker can provide a message containing shell metacharacters (e.g., "; rm -rf /; ") to terminate the intended command and execute arbitrary code on the host system.
  • REMOTE_CODE_EXECUTION (HIGH): Because the Bash tool is explicitly permitted for these operations in the YAML frontmatter, the lack of input sanitization provides a direct path for untrusted user input to reach a command execution sink.
  • PROMPT_INJECTION (HIGH): This skill exhibits a significant Indirect Prompt Injection surface (Category 8).
  • Ingestion points: User-provided message string in the /handoff command.
  • Boundary markers: None. The template uses simple double quotes which are easily escaped.
  • Capability inventory: The skill has access to the Bash tool to execute gt commands (as defined in SKILL.md).
  • Sanitization: None. The instructions do not specify any validation or escaping of the <message> content before passing it to the shell.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 15, 2026, 11:18 PM